On January 29, 2025, security researchers from Wiz Research made an alarming discovery: a database belonging to a Chinese artificial intelligence company DeepSeek It was completely exposed on the internet, without any authentication, accessible to anyone in the world.
What they found was no ordinary file. It was a database. ClickHouse on ports 8123 and 9000, which contained more than one million rows of extremely sensitive information: a complete history of conversations with the AI models, backend API keys, system logs, and internal infrastructure metadata.
The case quickly became the most significant security incident in the AI ecosystem in recent years—and an urgent lesson for all companies that use or develop artificial intelligence solutions.
Context: Why DeepSeek Was on the Radar
The week of the incident, DeepSeek had just launched its model R1, which for the first time competed directly with Anthropic’s GPT-4 and Claude 3 in reasoning benchmarks—and was also open source. The launch generated massive coverage in global tech media, subjecting the company to a level of scrutiny it clearly did not anticipate.
It was precisely that scrutiny that led Wiz Research to examine DeepSeek's exposed infrastructure—and discover the open database in less than an hour of investigation.
What data was exposed?
The extent of the breach was documented by Wiz Research and confirmed by independent analysts. The compromised data included:
- Complete conversation history user data from DeepSeek models, including plaintext versions of questions and answers
- Backend API keys — credentials that could be used to impersonate internal services or gain access to other connected systems
- Detailed system logs including information on versions, internal errors, and file paths
- Operational metadata that revealed details about the internal architecture of AI services
- End-User Information, including session identifiers and activity timestamps
Timeline of the Incident
Why This Incident Is Different from a Classic Data Breach
Traditional data breaches typically compromise user databases—names, email addresses, and passwords. The impact, while serious, is relatively predictable, and organizations know how to respond.
The DeepSeek gap differs in several critical ways:
1. The data presented here consists of conversations with AI
Users interact with AI models by sharing information they would not normally enter into a web form: questions about internal projects, proprietary code, business strategies, customer data, and legal dilemmas. The exposure of these conversations represents a major leak of business intelligence.
2. The error was a basic configuration issue, not a coding issue.
There was no sophisticated exploit. There was no zero-day vulnerability. A production database was simply accessible online without a password. This shows that even companies that build the world's most advanced AI tools can fail to implement the most basic security controls.
3. Exposed API keys increase the risk
In a microservices and AI environment, API keys are the keys to the kingdom. A compromised backend key not only grants access to data—it can also allow attackers to modify models, inject responses, steal additional credentials, or pivot to other connected systems.
4. The volume of data facilitates targeted attacks
With a million conversations, an attacker can identify specific high-value users, reconstruct confidential projects mentioned in chats, and design extremely persuasive phishing attacks based on the victims' real-life context.
The risk pattern that this reveals across the entire industry
Following the DeepSeek incident, security researchers began examining the exposed infrastructure of other AI startups—and found similar patterns with alarming frequency:
- Vector databases without authentication that store embeddings of corporate documents
- Model APIs without rate limiting or authentication displayed in non-standard ports
- Training Data Pipelines accessible without credentials
- LLM Monitoring Dashboards with visible usage metrics and prompt history
The rapid growth of the AI ecosystem—where startups go from a prototype to millions of users in a matter of weeks—puts enormous pressure on engineering teams. Security often takes a back seat.
What Your Company Should Do Now
This incident outlines a new set of controls that organizations must implement when adopting tools or developing AI systems:
If they use third-party AI tools
- Tool Inventory: Identify which AI tools each team uses and what types of data are shared with them
- Acceptable Use Policy: Explicitly define which categories of data CANNOT be entered into external AI tools (customer data, proprietary code, financial information, personal data)
- Review of Terms of Service: Check how the provider stores, uses, and protects conversations—and under which laws
- DLP on endpoints: Implement data loss prevention controls that can detect when employees paste sensitive information into AI applications
If they develop or deploy AI systems
- Security in Vector Databases: No database containing user data—including embeddings and conversation logs—should be accessible without authentication
- Secret Management: API keys for AI backends should be rotated periodically and should never be stored in plain text
- Network segmentation: Model inference services should not be exposed directly to the internet; they should be behind an API gateway with authentication.
- Audit of Exposed Ports: Implement regular attack surface scans, including non-standard ports such as 8123, 9000, 6333, and 19530 (common in AI infrastructure)
SOC Monitoring Controls for AI Environments
- Alerts about unusual access to databases from external IP addresses or at unusual times
- Detection of high-volume exfiltration records from AI log databases
- Monitoring of Use of API keys from unusual geographic locations
- Updated inventory of all listening ports on servers running AI workloads
Conclusion
The DeepSeek breach was not a sophisticated attack. It was a basic configuration error at a company that had captured the world’s attention. And that, precisely, is what makes it so significant.
The message for any organization is clear: the complexity and technological advancement of an AI product say nothing about the security maturity of the company that builds it. The rapid adoption of AI—in both startups and established companies—is creating a new attack surface that many security teams have not yet assessed.
In 2026, protecting your organization will no longer mean just securing servers and user credentials. It will also mean understanding where the data processed by their AI tools is stored, who can access it, and what would happen if it were exposed.
