The rapid rise of Chinese AI startup DeepSeek has been one of the most closely followed stories in the technology sector in early 2025. The company’s DeepSeek-R1 reasoning model has drawn comparisons to OpenAI’s top-tier systems, earning praise for its cost-effectiveness and efficiency. However, a critical security disclosure on January 30, 2025 has revealed a sobering reality: even the most innovative AI companies can fall victim to fundamental security misconfigurations that put user data at risk.
Security researchers at cloud security firm Wiz discovered a publicly accessible ClickHouse database belonging to DeepSeek that was completely open and unauthenticated. The database, hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000, contained over one million log entries exposing chat histories, API secret keys, backend operational details, and other highly sensitive information to anyone on the open internet. Bitcoin was trading at approximately $104,735 at the time of the disclosure, and the broader crypto market was already on high alert following a report from Immunefi showing $74 million lost to crypto hacks in January 2025 alone.
The Exploit Mechanics
The Wiz research team began their assessment by mapping DeepSeek’s external attack surface using standard reconnaissance techniques, both passive and active subdomain discovery. They identified around 30 internet-facing subdomains. Most appeared benign, hosting the chatbot interface, status pages, and API documentation. However, when the team expanded their search beyond standard HTTP ports 80 and 443, they detected two unusual open ports — 8123 and 9000 — associated with key subdomains.
These ports led directly to a publicly exposed ClickHouse database. ClickHouse is an open-source columnar database management system developed by Yandex, widely used for real-time data processing, log storage, and big data analytics. By leveraging ClickHouse’s HTTP interface, the researchers accessed the /play path, which allowed direct execution of arbitrary SQL queries via the browser. A simple SHOW TABLES; query returned a full list of accessible datasets, and one table in particular stood out: log_stream, which contained over one million log entries with columns revealing timestamps dating back to January 6, 2025, internal API endpoint references, plaintext logs including chat history, API keys, backend details, and operational metadata.
Affected Systems
The exposure was not limited to a single service. The _service column indicated which DeepSeek service generated each log, while the _source column revealed the origin of log requests, containing chat histories, API keys, directory structures, and chatbot metadata. This level of access posed a critical risk not only to DeepSeek’s internal security but also to every end user who had interacted with the platform since early January 2025.
More critically, the exposure allowed for full database control and potential privilege escalation within the DeepSeek environment, without any authentication or defense mechanism standing between the open internet and the database. Any attacker who discovered these ports could have retrieved sensitive logs and actual plaintext chat messages, exfiltrated API secrets, and potentially leveraged the access to pivot deeper into DeepSeek’s infrastructure.
The Mitigation Strategy
The Wiz Research team immediately and responsibly disclosed the issue to DeepSeek, which promptly secured the exposure by taking the database offline. The speed of the response was commendable, but questions remain about how long the database was exposed before Wiz discovered it, and whether any malicious actors accessed it during that window. DeepSeek did not respond to requests for comment from multiple media outlets.
Misconfigured databases are often caused by human error rather than malicious intent. In this case, the ClickHouse instance was deployed without authentication on internet-facing ports, a configuration error that should have been caught during routine security audits. The incident underscores the importance of implementing zero-trust architecture, regular attack surface assessments, and automated monitoring for exposed services.
Lessons Learned
The DeepSeek database exposure offers several critical lessons for the broader technology and crypto community. First, rapid growth and viral popularity do not excuse basic security hygiene. DeepSeek experienced explosive user adoption since its public launch in December 2024, but its security infrastructure apparently did not keep pace with its growth. Second, exposed databases remain one of the most common and devastating attack vectors in the industry. The crypto sector alone has seen billions lost to similar misconfigurations over the years.
Third, the intersection of AI and crypto creates new attack surfaces that require specialized security approaches. As AI agents, decentralized compute networks, and AI-powered trading tools proliferate, the amount of sensitive data flowing through these systems increases exponentially. Projects building at this intersection must treat security as a foundational requirement, not an afterthought.
User Action Required
If you used DeepSeek’s services between January 6 and January 30, 2025, you should assume your chat histories and any data shared with the platform may have been exposed. Rotate any API keys you generated on the DeepSeek platform immediately. Review any sensitive information you may have shared in prompts, including code snippets, personal data, or business information. Monitor your accounts for unusual activity, particularly if you used DeepSeek API keys in production environments.
The crypto community should also take this incident as a reminder that security is not just about smart contract audits and wallet protection. Every service you interact with — AI platforms, trading tools, portfolio trackers — represents a potential attack surface. Practice the principle of least privilege in your API key usage, never share sensitive information in AI prompts, and always have a rotation strategy for credentials connected to third-party services.
This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified professionals before making security decisions.
an unauthenticated clickhouse db in 2025. billion dollar ai company, zero network segmentation. classic
seen this exact pattern at three different startups now. clickhouse on :9000 with no auth, sitting on a public subdomain
seen the clickhouse no-auth pattern at three different startups this year alone. the defaults are wide open and nobody reads the deployment docs
Wiz finding this before actual malicious actors is lucky. That db had API keys sitting in plaintext logs. Anyone could have drained wallets connected to those keys.
The fact that oauth2callback.deepseek.com was one of the exposed endpoints makes this even worse. That is literally the auth flow endpoint.
over a million log entries with chat histories. if you used deepseek api keys for any crypto integrations rotate them immediately
over a million log entries with api keys in plaintext. if you connected any crypto tools to deepseek you should rotate those credentials right now