A security report about DeepSeek has shifted attention from model performance to a simpler question: what happens when an AI company leaves sensitive systems exposed?
According to Wiz, researchers found a publicly accessible DeepSeek database “within minutes” of examining the company’s security. The database was tied to DeepSeek, the Chinese AI firm whose R1 model has recently drawn intense attention across the technology and AI markets.
A database left open
Wiz said the exposed system was an analytical ClickHouse database connected to DeepSeek. It was described as “completely open and unauthenticated,” meaning researchers could reach it without the normal barriers that would be expected around sensitive infrastructure.
The database contained more than 1 million instances of “chat history, backend data, and sensitive information, including log streams, API secrets, and operational details,” according to Wiz. That combination matters because it was not limited to one category of information. It included user-facing material, internal technical data, and secrets that can help explain how a service operates behind the scenes.
Wiz also reported that an open web interface allowed full database control and privilege escalation. Internal API endpoints and keys were available through the interface and common URL parameters.
In practical terms, the finding was not only about information being visible. The report said the interface made the database controllable. That is why the exposure stands out as a security issue for any service handling AI chat histories or operational data.
Why this matters for AI security
Much of the public conversation around AI security focuses on advanced risks. This case points to a more familiar problem: basic exposure of cloud systems.
Gal Nagli at Wiz’s blog framed the issue around the gap between rapid AI adoption and everyday security discipline. The point is straightforward. When people and organizations use AI tools, they may be placing sensitive data into services run by fast-moving providers.
The DeepSeek finding shows how the risk can appear at the infrastructure level. A model can be impressive, a service can attract attention, and a provider can still have weaknesses in how data is stored or protected.
For customers, the key lesson is not technical complexity. It is trust. AI tools often sit close to private prompts, business context, chat histories, and backend workflows. If the systems around those tools are exposed, the security concern is immediate.
DeepSeek protected the databases after contact
Ars said it contacted DeepSeek for comment and would update its post with any response. Wiz noted that it did not receive a response from DeepSeek about its findings.
Even so, the exposed databases were protected quickly after outreach. Wiz said that after contacting every DeepSeek email and LinkedIn profile it could find on Wednesday, the company protected the databases Wiz had previously accessed within half an hour.
Ami Luttwak, CTO of Wiz, told WIRED that the issue was severe because of the mismatch between how easy it was to find and the level of access obtained. He said, “The fact that mistakes happen is correct, but this is a dramatic mistake, because the effort level is very low and the access level that we got is very high.”
He also told WIRED, “I would say that it means that the service is not mature to be used with any sensitive data at all.”
The broader DeepSeek context
The security report landed while DeepSeek’s R1 model was already receiving unusually broad attention. R1 is described as a freely available simulated reasoning model. DeepSeek and some testers believe it matches OpenAI’s o1 model in performance.
R1 has also been tied to market volatility because DeepSeek purportedly runs it at a fraction of the cost of o1, at least on DeepSeek’s servers. The seemingly reduced power needed to run and train R1 also affected power company stock prices.
Ars’ Kyle Orland found R1 impressive, given its seemingly sudden arrival and smaller scale, while also noting some deficiencies compared with OpenAI models.
The competitive context includes OpenAI as well. OpenAI told the Financial Times it believed DeepSeek had used OpenAI outputs to train R1 through a practice known as distillation. The source article states that such training violates OpenAI’s terms of service, and OpenAI told Ars it would work with the US government to protect its model.
Wiz researchers also told WIRED they found numerous structural similarities to OpenAI while examining DeepSeek’s systems. The source article says those similarities appeared to make it easier for customers to transition from OpenAI to DeepSeek.
The takeaway
The DeepSeek database exposure is a reminder that AI security is not only about future-facing threats. It is also about whether databases, web interfaces, API secrets, and internal systems are protected from public access.
DeepSeek’s rise has been tied to performance claims, cost claims, and comparisons with OpenAI. The Wiz finding adds another dimension: operational security. For any AI provider, protecting customer data has to be part of the product, not a separate concern handled after attention arrives.