DeepSeek Users Growing Popularity Sparks Cybersecurity Concerns
DeepSeek Users a rising AI company, has been in the spotlight recently due to its release of R1, an open-source AI model that is being touted as a competitor to industry giants like OpenAI’s ChatGPT and Google’s Gemini. The company claims that R1 matches the performance of these well-known chatbots while requiring far less computational power. As the company’s prominence grows, so does scrutiny from the cybersecurity community, which has begun investigating the model and the company’s overall infrastructure.
Security Flaw Exposes Sensitive Information
Researchers at cybersecurity firm Wiz discovered a significant vulnerability in DeepSeek’s system, which was linked to an unprotected ClickHouse database. This database, accessible through several publicly exposed hosts, contained sensitive information including chat histories, API keys, backend details, and operational metadata. Upon further analysis, Wiz discovered that arbitrary SQL queries could be executed on the database, allowing unauthorized access to sensitive logs. The breach revealed approximately one million log entries, including plaintext chat messages and other crucial data that could be exploited by cybercriminals.
Wiz’s report highlighted the critical risks posed by the exposure, noting that an attacker could retrieve plain-text passwords, local files, and proprietary information directly from DeepSeek’s servers. The security firm also warned that an unauthenticated attacker could potentially escalate privileges within the DeepSeek system, gaining full control over the compromised database. Following this revelation, DeepSeek took immediate action to patch the vulnerability after being alerted by Wiz.
Data Privacy Issues Draw International Attention
The breach comes just days after a separate report from threat intelligence company Kela, which revealed that DeepSeek Users R1 model is vulnerable to jailbreak techniques, a security loophole that has already been patched in other popular chatbot models. These vulnerabilities, coupled with the discovery of the unprotected database, have fueled concerns regarding the privacy and data protection risks associated with DeepSeek’s services.
The company, which is based in China, has also faced criticism for allegedly sending the data of U.S. users to China, raising privacy alarms. The European Union has taken note of these issues, with Italy’s data protection authority temporarily removing DeepSeek’s application from Google and Apple app stores. The Italian authority is investigating how the company handles personal data, and similar inquiries have been made by authorities in Ireland.
In addition to these privacy concerns, DeepSeek has recently reported being forced to limit new registrations due to a large-scale cyberattack, which further highlights the company’s cybersecurity challenges. As the investigation into the company’s security practices continues, it remains to be seen how DeepSeek will address these vulnerabilities and restore public trust in its platform.
