90 incidents on record · 2026 Headlights Incident reports by Ellie Harris · Melbourne
10 new this week Library last updated 13 July 2026
← The incident library
HD-INC-089
Technology · China · 2025 · Data exposure & egress

DeepSeek left a database open on the internet with more than a million log lines, including users' chat history and secret keys

By Ellie Harris · Filed Identified by Wiz Research, 29 January 2025

Alleged: DeepSeek; Wiz (disclosing researchers) developed or deployed the AI system implicated in this incident. Details are drawn from public reports; parties are presumed innocent of any wrongdoing not established by an official finding.

DeepSeek left a database open on the internet with more than a million log lines, including users' chat history and secret keys

What happened

It was reported that in late January 2025, as DeepSeek’s assistant rose sharply in use, researchers at the security firm Wiz found a database belonging to the company exposed on the public internet. The store, a ClickHouse database, was reachable through two open ports with no password, and access to it allowed full control over the database’s operations. It held more than a million lines of log data in plain text, including users’ chat history, API keys, backend details and other operational metadata, with entries dating back to 6 January 2025.

It was then reported that Wiz disclosed the exposure to DeepSeek privately, and that DeepSeek closed it in under an hour of being notified. Wiz did not report evidence that anyone else had reached the data, and the speed of the fix once the company knew is not in question. The log entries ran back to 6 January, though how long the database itself had been open is not something the reporting establishes. What is clear is that the company did not find it. An outside researcher did, in a database holding the plaintext conversations of a service then being adopted by millions.

What an auditable version would have shown

Whether a database full of user chats and secret keys can be reached from the open internet is something a system can keep testing on its own, and record. An auditable version tags each store by what is in it and checks, against a simple rule, whether it is reachable: a database of plaintext chat logs should never be open to anyone without a password. Cross that line and it writes a signed record. A check like that trips whenever the store first becomes reachable, whenever that was, rather than waiting for the day an outside researcher happens to look.

Where the gap was

Sensitive data, plaintext chat logs and secret keys, sat open to the internet with nothing watching to make sure it was not. An EgressGate tags a store by how sensitive it is and checks the wall around it, so a database of user conversations cannot sit open and passwordless without tripping the check and forcing someone to sign off on the exception. A ConductRecord keeps what the check found and when, so the stretch of time between the store being exposed and someone noticing is something the company can see for itself, not something it hears about from whoever found the data first.

What governance should have looked like

The fix took under an hour once DeepSeek knew; the hard part was knowing the store was open in the first place. A database left open to the internet is something a system can be built to spot as it happens, rather than something that waits for an outside researcher to trip over it. Best practice would be for a company holding user data to tag its stores, keep checking whether they are reachable, and write a signed record when one is exposed, so it is the first to know rather than the last.

Failure Pattern: a data store holding user chat logs and secret keys was reachable from the public internet with no authentication.

Governance Principle: a store holding sensitive or user data must be closed to the public internet by default, and its reachability checked continuously, not assumed.

The reference implementation of EgressGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.

Sources

The mailing list

Fresh incident reports every week. One email to match.

We add new incidents to the library regularly, and send a single short email each week with what's new. The library stays free and open; this is just how you keep up with it.

No tracking. Unsubscribe in one click.

The record

An auditable system would have produced a signed, tamper-evident record the moment this happened: what the system did, the version that did it, the basis it acted on, and the action taken, and DeepSeek; Wiz (disclosing researchers) could have produced it on demand.

This is the record the system as deployed did not produce in a signed, auditable form.

What this teaches
Capture what happened when it happens
What the system did, the version that did it, the basis it acted on, and the action taken, recorded at the moment, not reconstructed after.
Sign it, so no one has to trust the record-keeper
A tamper-evident entry. Edit it later and the signature breaks. The record does not ask for the benefit of the doubt.
Make it verifiable by anyone
A court, a regulator, a customer's lawyer can check the record themselves, without taking the company, or us, at our word.

Headlights summarises publicly reported AI incidents. All summaries are independently written, attributed to their original sources, and intended for research and educational purposes. Allegations are identified as such until established through official findings.

Last reviewed June 2026. This report is based on the sources listed above and reflects information available at the time of review; later developments may not be captured. Where a person is described as charged with or alleged to have done something, that allegation is unproven unless a conviction or a court or regulatory finding is stated. Headlights publishes journalism and commentary, not legal advice.

Want to write back?

Direct to my inbox.

ellie@useheadlights.com →