What happened
It was reported that in late January 2025, as DeepSeek’s assistant rose sharply in use, researchers at the security firm Wiz found a database belonging to the company exposed on the public internet. The store, a ClickHouse database, was reachable through two open ports with no password, and access to it allowed full control over the database’s operations. It held more than a million lines of log data in plain text, including users’ chat history, API keys, backend details and other operational metadata, with entries dating back to 6 January 2025.
It was then reported that Wiz disclosed the exposure to DeepSeek privately, and that DeepSeek closed it in under an hour of being notified. Wiz did not report evidence that anyone else had reached the data, and the speed of the fix once the company knew is not in question. The log entries ran back to 6 January, though how long the database itself had been open is not something the reporting establishes. What is clear is that the company did not find it. An outside researcher did, in a database holding the plaintext conversations of a service then being adopted by millions.
What an auditable version would have shown
Whether a database full of user chats and secret keys can be reached from the open internet is something a system can keep testing on its own, and record. An auditable version tags each store by what is in it and checks, against a simple rule, whether it is reachable: a database of plaintext chat logs should never be open to anyone without a password. Cross that line and it writes a signed record. A check like that trips whenever the store first becomes reachable, whenever that was, rather than waiting for the day an outside researcher happens to look.
Where the gap was
Sensitive data, plaintext chat logs and secret keys, sat open to the internet with nothing watching to make sure it was not. An EgressGate tags a store by how sensitive it is and checks the wall around it, so a database of user conversations cannot sit open and passwordless without tripping the check and forcing someone to sign off on the exception. A ConductRecord keeps what the check found and when, so the stretch of time between the store being exposed and someone noticing is something the company can see for itself, not something it hears about from whoever found the data first.
What governance should have looked like
The fix took under an hour once DeepSeek knew; the hard part was knowing the store was open in the first place. A database left open to the internet is something a system can be built to spot as it happens, rather than something that waits for an outside researcher to trip over it. Best practice would be for a company holding user data to tag its stores, keep checking whether they are reachable, and write a signed record when one is exposed, so it is the first to know rather than the last.
Failure Pattern: a data store holding user chat logs and secret keys was reachable from the public internet with no authentication.
Governance Principle: a store holding sensitive or user data must be closed to the public internet by default, and its reachability checked continuously, not assumed.
The reference implementation of EgressGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.
Sources
- Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History (Wiz)
- DeepSeek exposed internal database containing chat histories and sensitive data (TechCrunch)
- DeepSeek AI Database Exposed: Over 1 Million Log Lines, Secret Keys Leaked (The Hacker News)