In a recent security incident, DeepSeek, the new Chinese AI startup, suffered a significant data breach due to an unsecured ClickHouse database. This breach exposed over a million log entries, including sensitive information such as chat logs, API keys, backend service details, and operational metadata.
Technical Walkthrough: Cause of the Breach
The root cause of this breach was the lack of authentication on DeepSeek’s ClickHouse database servers, which were accessible via the following endpoints:
- http://oauth2callback.deepseek.com:8123
- http://dev.deepseek.com:8123
- http://oauth2callback.deepseek.com:9000
- http://dev.deepseek.com:9000
ClickHouse, an open-source columnar database designed for real-time analytics, offers an HTTP interface that, in this case, was left unsecured. This misconfiguration allowed unauthorized users to execute SQL queries without any authentication. By accessing the /play path, attackers could list all available tables and extract data from them. Notably, the log_stream table contained plaintext logs of user conversations, API secrets, and backend service information.
Type of Data Breach
This incident is classified as a data exposure breach resulting from improper security configurations. The exposed data included:
- Plaintext chat logs from DeepSeek’s AI chatbot
- API keys and secrets
- Backend service metadata
- Internal directories
The exposure of such sensitive information poses significant risks, including unauthorized access to user data, potential misuse of API keys, and exploitation of backend services.
Hackers Behind the Incident
At this time, there is no evidence to suggest that malicious actors exploited this vulnerability before it was discovered by security researchers. The breach was identified by security researchers, who responsibly disclosed the findings to DeepSeek. Upon notification, DeepSeek has secured the exposed database and initiated an investigation to assess the impact.
Conclusion
This incident underscores the critical importance of implementing robust security measures, especially for organizations handling sensitive data. Proper configuration and regular security assessments are essential to prevent unauthorized access and protect user information. Organizations must prioritize securing their databases and other infrastructure components to mitigate the risk of data breaches.