Summary
Chinese AI company DeepSeek exposed an unprotected database containing over a million unencrypted chat logs, API keys, and other sensitive data.
Security researchers at Wiz discovered the vulnerability and alerted DeepSeek, which promptly took the database offline.
It’s unclear how long the data was exposed or if others accessed it before Wiz.
DeepSeek, which gained viral popularity since its December launch, has not commented.
Who tf keeps that kind of sensitive shit unencrypted at rest?
The kind of company who develops an AI for 4% the cost of everyone else
I don’t know, it doesn’t feel like a cost thing to me. If even one second of thought was given to security this could have been prevented basically for free.
Security costs money to develop and implement.
Technically correct but that’s like saying it takes effort to set up a passcode on your phone. Yes but it’s basically as close to zero as you can get and the return makes it a no brainer. Data breaches also cost money to remediate and can cause potentially trust destroying reputational damage.
It’s a no brainer if you’re paying people enough to understand the problem.
Unprotected and internet accessible?
Truly a side project
It wasn’t at rest according to the blog post:
So probably either a service that was meant to be bound on loopback or a firewall issue.
I guess that shows how dangerous it is to have something secured by the ‘nobody should be able to access this port’ method.