Exposed DeepSeek database leaking sensitive information, including chat history
498 comments
·January 29, 2025jvansc
david-gpu
> Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
That is precisely what happens. It is not unusual for code and databases to be written in English, even when the developers are from a non-English speaking country. Think about it: the toolchain, programming language and libraries are all based on English anyway.
londons_explore
Interestingly, in the world of electronics this used to be true too. The first Diode on a circuit board would be marked "D1", no matter which country produced it. Datasheets for components would be in english. Any text on a circuit board would be in english (ie. "Voltage Select Switch" or "Copyright 2025".).
However, a few years back it became common for most datasheets to be available in mandarin and english, and this year most PCB fabrication houses have gained support for putting chinese characters onto a circuit board (requires better quality printing, due to more definition needed for legibility).
Now there are a decent number of devices where the only documentation is only available in mandarin, and the design process was clearly done with little or no english involved.
Not everything changes though - gold plating thickness is measured by the micro-inch. Components often still use 0.1 inch pin spacing. Model numbers of chinese chips often are closely linked to the western chip they replace, the names of registers (in the cpu register sense) are often still english etc.
Twirrim
> Not everything changes though - gold plating thickness is measured by the micro-inch
Considering how much manufacturing and science etc. has fully migrated to metric, even in the US, this seems bizarre to me.
pjc50
> this year most PCB fabrication houses have gained support for putting Chinese characters onto a circuit board
I've yet to see one of these in the wild, but it sounds cool to me and I would like to see it.
There's something of a problem the CJK languages have in not being able to do abbreviations or acronyms, so in Japanese you will occasionally see a couple of Latin letters standing out because that's much shorter than an inconveniently translated word.
tommiegannert
> Components often still use 0.1 inch pin spacing.
This changed with IC SMD packages. It's now mostly even 100-micrometers.
SMD passives seem to be in a state of limbo, but mostly still using inches. Mouser lists resistor size codes as both inch and mm. It's a bit confusing.
miki123211
In my experience, you usually get English variable names / db schemas, localized chats and tickets, with internal docs, log messages and comments being a mixed bag.
For some kinds of software, localized names make a lot more sense, e.g. when you're dealing with very subtle distinctions between legal terms that don't have direct English equivalents.
bryanrasmussen
I have worked in a couple places where some of the code was not in English, and it was incredibly annoying, like an affectation.
lawn
As a Swede I sometimes encounter new programmers using Swedish instead of English and it's incredibly jarring.
It's a little bit better if only the comments are in Swedish but it's still annoying...
Luckily it's very rare.
edudobay
Considering Brazil and the Spanish-speaking people whom I've worked with, it's common for English coding to be the norm for the company/project, but many people are far from being proficient in English, so we end up with funny names that are often confusing or nonsense - I've seen an "evaluation service" that is actually a "rating service" (both could translate to the same in Portuguese). They often translate to false cognates too.
There are some business concepts that are very unique to a place (country-specific or even company-specific) with no precise translation to the English-speaking world, and so I sometimes prefer to keep them in their native language.
impulsivepuppet
It might seem less credible to encounter English in a place where it’s less expected, but think of it this way: would a Yandex-developed ClickHouse database be adopted by Chinese devs if everything in it were written in Russian?
There is some merit in asking your question, for there’s an unspoken rule (and a source of endless frustration) that business-/domain-related terms should remain in the language of their origin. Otherwise, (real-life story) "Leitungsauskunft" could end up being translated as "line information" or even "channel interface" ("pipeline inquiry" should be correct, it's a type of document you can procure from the [German] government).
Ironically, I’m currently working in an environment where we decided to translate such terms, and it hasn’t helped with understanding of the business logic at all. Furthermore, it adds an element of surprise and a topic for debate whenever somebody comes up with a "more accurate translation".
So if anything, English is a sign of a battle-hardened developer, until they try to convert proper names.
denysvitali
In the wild I've seen a company returning a JSON key "ankunftTime" in one of their APIs
TeMPOraL
In my experience, Germany is the most common exception to the "programming is done in English" rule.
In general, these things happen, and are not restricted to pre-Internet times - in fact, I most often see it in random webshit SaaS developed in Europe - things like, say, food delivery - Pyszne.pl and pizzaportal.pl (defunct) come to my mind. Those sites tend to be well-localized, so they seem like local businesses targeting the national market. But then you accidentally look at an URL deep in ordering form, or the ordering form breaks and you pull up dev tools to fix it, and suddenly you realize the SaaS operator is actually German or Swedish or Dutch, and they're just deploying the same platform across the EU, with a really good localization polish.
Timwi
Anyone remember T_PAAMAYIM_NEKUDOTAYIM?
throwaway2037
Google tells me that "ankunft" means arrival in German. Is that correct?
rcruzeiro
Someone who worked on a non-English environment years ago here: sometimes you do use the local language in some contexts, but, more often than not, you end up using English for the majority of stuff since it's a bit off-putting to mix another language with the English of programming languages and APIs.
heelix
Our US company sent me to France to help out with an implementation. The guy I worked with spoke very little English and my French is terrible. Both of us had done Latin, however - so the comments were hilarious as we used that as our common link. One of those projects I'd expect to show on the daily WTF at some point.
I did try my hand at a translation tool, as it was all i18n up proper. Watched one guy blow coffee through his nose when I demo'ed - and the 'BACK' navigation was the French word for a persons back or something like that.
0xDEAFBEAD
Isn't it true that schoolboys in many countries would learn Latin 100+ years ago? I suppose it would've been used sometimes in international communication?
sd9
LLMs seem pretty great at helping with the translation like this. I asked chatgpt about "back" and it gave me tons of options.
https://chatgpt.com/share/679b43af-e770-800a-92ee-b27bd87194...
icepat
Yep, myself as well. I've heard non-English programmers who've worked with non-English codebases call them "very weird".
stratocumulus0
I've been working on a project for the former Polish state telco and the codebase was mostly Java EE as written in the mid-00's. Since you cannot really be productive in Java without an IDE, standard English conventions for naming have been pushed onto the devs from early on - a getter must start with `get` or `is` if the return type is boolean, class names have to contain standardized postfixes corresponding to the design pattern used, such as `AbstractFactoryBean` etc. But since few people spoke English back then, they ended up with awful hybrid names such as `getCennikSluchawkiKeySet` or `OfertaManagerPrzylaczeProxy`.
ninetyninenine
A lot of software design from the English world centers around "design patterns." And these "design patterns" have advanced nomenclature and often make things more convoluted then necessary. The whole concept of these "patterns" are actually an arbitrary style that got invented in the English speaking world. In non-english countries people program in ways that are more straightforward.
sghiassy
Dumb question, but it would then seem that you have to know English to program??
rtpg
This is a bit environment dependent is my impression. Like France and Japan both have enough people shitty at English to generate either translations or home grown programming learning material to fight against this barrier. But my impression is that, like, a German programmer isn't getting far in life without being comfy reading stuff in English
pjc50
Many non-English-language countries end up with most people who've been through higher education knowing at least some English, not only so they can handle sources but also so they can talk internationally to any other country as well as consume American media.
It's also a status symbol.
The smaller the language pool is the stronger this effect is. Japan is large enough that it's less guaranteed. Places like India and Indonesia that have a lot of internal languages end up using English as a lingua franca (+) as well.
(+) latin term!
evantbyrne
Not literally required, because languages typically support UTF-8 source files, but it would be difficult to use most popular software libraries without being able to at least read English.
princemaple
Kinda. Some of them know all the English words in the programming language they code in, and not much else.
wisty
A lot would probably be loan words anyway, and they're words many English speakers would also need to learn. Array, socket, database, loop, float, function, etc.
If the stack overflow examples are in English, you might as well use it. That's also why JavaScript is maybe a better choice than Typescript even if Typescript is better.
presentation
Probably at least some, because most tools’ documentation are not going to be in your language – at least that’s how it is here in Japan. That said plenty of Japanese engineers who have very low English skill.
null
creakingstairs
It’s harder to learn for sure. Majority of the resources are in English and it’s harder to internalise the keywords. But it’s definitely possible to program without knowing English.
bri3d
Almost all software engineers learn a passing amount of English - truly localized programming environments are quite esoteric and not really available for most mainstream use cases I can think of.
Depending on the company culture and policy, the most common thing to see is a mix of English variable and function names with native-language comments. Occasionally you will see native-language variable and function names. This is much more common in Latin character set languages (especially among Spanish and Portuguese speakers) in my experience; almost all Chinese code seems to use approximately-English variable and function names.
buu700
I've also seen a codebase with a mix of English and Portuguese variable/function names and comments. In that particular case, the Portuguese variable/function names were basically treated as technical debt, with a gradual ongoing transition to consistent English naming.
0xcde4c3db
> Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
I'm a native English speaker, but from looking at various code bases written by people who aren't, I gather that it's basically this. It wasn't too long ago that one couldn't even reliably feed non-ASCII comments to a lot of compilers, let alone variable and function names.
lukan
"Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?"
Yes, that's what we did and do.
Depending on the project, I do use german variable names and comments at times, but stopped using all special characters like öüäß, they mess things up, despite in theory should just work fine.
Nowdays even chrome dev tools come in german, but experience shows, translated programming tools (or any software really) usually just have the UI a bit translated. But any errors you encounter or any advanced stuff will be in english anyway. And if you google issues of your translated UI, you won't find much, so better just use the original version.
So english it is.
(And it is the lingua franca in most parts of the world anyway)
maeil
Your country's biggest SW company is SAP, world infamous for their German column names, haha. Pretty sure it's the most widely used product in the world with non-English internals that people actually interact with - I'm sure there's some Realtek firmware with billions of installs that's in Chinese but barely anyone has to look at that.
nemoniac
Not only that, DeepSeek "thinks" in English!
When I interact with it by asking it a question in Spanish, the parts between the <think> ... </think> are in English before it goes on to answer in Spanish.
Give it a try in your favourite language.
I went on to ask it if it "thinks" in English, Spanish or Chinese but it just gives the pat answer that, being an LLM, it doesn't think in any language.
chromanoid
I assume that there is a prompt that asks the LLM to generate its thoughts. This prompt is probably in English.
dreilide
interestingly that hasn't been my experience. did you use their web interface or the API?
victorbjorklund
I'm from Sweden (okay not same thing as China due to english being more common here) but I always code in english. Even if it is a script just for myself I will use english for variable names etc
2mlWQbCK
I do that as well and also in almost all my personal documents on most (but not all) topics. All the books and most online forums I read are in English. I rather have documents uniformly in Swedish English (en-SE?) than some Swenglish mess of Swedish mixed with English words.
It also helps on the rare occasions some random notes evolve into a proper project that will have to be in English eventually anyway. There is no need for an extra translation step between initial idea and final product. All my vague hobby gamedev ideas are in English for instance.
galnagli
Thank you everyone, this was responsibly disclosed to DeepSeek and published after the issue was remediated, we got acknowledgment from their team today on our contribution.
leftcenterright
were these "dev" domains holding real production data? the blog post does not clear it for me.
caust1c
Interesting to note:
- Dev infra, observability database (open telemetry spans)
- Logs of course contain chat data, because that's what happens with logging inevitably
The startling rocket building prompt screenshot that was shared is meant to be shocking of course, but most probably was training data to prevent deepseek from completing such prompts, evidenced by the `"finish_reason":"stop"` included in the span attributes.
Still pretty bad obviously and could have easily led to further compromise but I'm guessing Wiz wanted to ride the current media wave with this post instead of seeing how far they could take it. Glad to see it was disclosed and patched quickly.
pedrovhb
> but most probably was training data to prevent deepseek from completing such prompts, evidenced by the `"finish_reason":"stop"` included in the span attributes
As I understand, the finish reason being “stop” in API responses usually means the AI ended the output normally. In any case, I don't see how training data could end up in production logs, nor why they'd want to prevent such data (a prompt you'd expect to see a normal user to write) from being responded to.
> [...] I'm guessing Wiz wanted to ride the current media wave with this post instead of seeing how far they could take it.
Security researchers are often asked to not pursue findings further than confirming their existence. It can be unhelpful or mess things up accidentally. Since these researchers probably weren't invited to deeply test their systems, I think it's the polite way to go about it.
This mistake was totally amateur hour by DeepSeek, though. I'm not too into security stuff but if I were looking for something, the first thing I'd think to do is nmap the servers and see what's up with any interesting open ports. Wouldn't be surprised at all if others had found this too.
caust1c
Seems that you're right! Also, not that I doubted they were using OpenAI, but searching for `"finish_reason"` on the web all point to openai docs. Personally, I wouldn't say it's a very common attribute to see in logs generally.
https://platform.openai.com/docs/api-reference/introduction
Right there in the docs:
> Now that you've generated your first chat completion, let's break down the response object. We can see the finish_reason is stop which means the API returned the full chat completion generated by the model without running into any limits.
Regarding how training data ends up in logs, it's not that far fetched to create a trace span to see how long prompts + replies take, and as such it makes sense to record attributes like the finish_reason for observability purposes. However the message being incuded itself is just amateur, but common nonetheless.
miki123211
> not that I doubted they were using OpenAI
The OpenAI API is basically the gold-standard for all kinds of LLM companies and tools, both closed and open source, regardless of whether the underlying model is trained on OpenAI or not.
danielodievich
open exposed clickhouse is this decade's open exposed elasticsearch so common in the past
ebfe1
AFAIK, Opensource Elasticsearch does not offer any form of authentication upon installation for many years but ClickHouse does and in fact I'm often surprised at how many authentication mechanisms were introduced over the years and can be easily configured:
- Password authentication (bcrypt, sha256 hashes) - Certificate authentication (Fantastic for server to server communication) - SSH key authentication (Personally, this is my favourite - every database should have this authentication mechanism to make it easy for Dev to work with)
Not very popular but LDAP and Http Authentication Server are also great options.
I also wonder how DeepSeek engineers deployed their ClickHouse instance. When I deployed using yum/apt install, the installation step literally ask you to input a default password.
And if you were to set it up manually with ClickHouse binary, the out-of-the-box config seal the instance from external network access and the default user is only exposed to localhost as explained by Alex here - https://news.ycombinator.com/item?id=42871371#42873446.
pl4nty
shame they paywalled JWT authn behind their expensive PaaS offering :(
forced us to use an alternative, and paywalling security features in an "open source" product didn't make us feel comfortable for a long-term investment like a db
https://github.com/ClickHouse/ClickHouse/pull/68634#issuecom...
bearjaws
Which was originally the open exposed mongo server, then mysql/phpmyadmin, then exposed ftp, and then exposed telnet.
hmmm-i-wonder
We move on and upwards, but never really stop making the same mistakes do we.
astrea
Shows how old I am. Thought we were still in the "exposed ElasticSearch" era.
kdmtctl
I was sure this was Elastic, you are not alone.
blitzar
open exposed S3 bucket is this decade's open exposed S3 bucket so common in the past
mmaunder
Does DeepSeek have a bug bounty program I'm not aware of with a clearly defined scope? It appears that Wiz took it upon themselves to probe and access DeepSeek's systems without permission and then write about it.
If you do this and the company you're conducting your "research" on hasn't given you permission in some form, you can get yourself in a lot of hot water under the CFAA in the USA and other laws around the world.
Please don't follow this example. Sign up for a bug bounty program or work directly with a company to get permission before you probe and access their systems, and don't exceed the access granted.
soulofmischief
Your posturing is unwarranted. Literally in the first paragraph:
> The Wiz Research team immediately and responsibly disclosed the issue to DeepSeek, which promptly secured the exposure
archon810
FWIW, this is Mark Maunder, CEO of Defiant / Wordfence. I wouldn't write him off as some random guy on the internet.
mmaunder
Posturing huh? Nice. That was intended to be helpful. Go read the CFAA. What they did is, believe it or not, illegal. I didn't make the law, and many think the CFAA is ridiculous, but that's how it works. If you even access a computer system beyond what you've been granted it's a CFAA violation with stiff penalties.
BoorishBears
Quite the posturing with that last sentence
tevon
They left open a publicly exposed database... I'm sure they informed the company about this before publishing their post. Why are you blaming Wiz for this?
xinayder
I agree to your comment, but also there's probably an unspoken gentleman's agreement that DeepSeek fixed the issue and won't pursue legal action against Wiz, since they were helpful and didn't do anything malicious.
I did the same a while ago, an education platform startup had their web server misconfigured, I could clone their repo locally because .git was accessible. I immediately sent them an email from a throwaway account in case they wanted to get me in trouble and informed them about the configuration issues. They thanked me for the warning and suggestions, and even said they could get me a job at their company.
throwaway-bb2
Going throwaway account for this.
Wiz folks are notoriously shady. They cross the line a ton. They did this to Amazon and Microsoft to make a name among other. Super unethical.
Their product isn't terrible but their sales people are just terrible. Completely off-putting. Most of them are idiots from zscaler.
janalsncm
The CFAA is a US law. Assuming you break it, in order for that to matter, an American prosecutor needs to find time to prosecute you for doing so. Does Deepseek have any American presence at all?
Likewise, there may be Chinese laws were violated. However, outside of China they are a moot point.
ziddoap
They're publicly accessible URLs.
DeepSeek & users that had data exposed here should be thanking Wiz.
pinoy420
Yes but they’re chinese so it’s okay /s
They are getting DoS’d by us gov too so they were only trying to help /s
ripped_britches
Ironic - I bet if you ask deepseek r1 how to set up clickhouse it would tell you the right way to do it.
semking
Can you imagine executing arbitrary SQL queries via your web browser? :D
Complete database control and potential privilege escalation within the DeepSeek environment without ANY authentication...
NathanKP
And that's why you run models locally. Or if you want a remote chat model, use something stateless like AWS Bedrock custom model import to avoid having stored chats on the server.
dotancohen
Not many non-gamers have hardware capable of running such a model locally - never mind the skills.
For most people, bash is not a tool for interacting with the computer, it is how they express their frustration with the computer (sometimes leaving damaged keyboards).
razster
I have DeepSeek-R1 1.5b running on a Raspberry Pi 5. I have DS-R1 14b Q6 running on my old AM4 Ryzen with a AMD GPU, without issues. My primary workstation is running 32B Q8 and without issues. And it's simple!
smallerize
That's not the DeepSeek R1 model that they're offering via the API on these servers. That's a Qwen model that's been fine-tuned on output from the big R1 model.
null
loloquwowndueo
Wow all the gamers with mad LLM skillz.
0x457
Pretty sure gamers are mentioned because those are the usual demo that has GPUs with enough memory outside of people in the ML industry.
null
tonygiorgio
You could also use models that run on nvidia’s trusted execution environment.
janalsncm
Nvidia naming it “trusted” doesn’t mean I trust it.
null
sylware
The second Big Tech was threatened by significant competition (DeepSeek), this competition is "stealing"(lol), and is under heavy hacking attacks (main online inference portal).
There you have, the real face of Big Tech. Extinguishing the competition by locking a service behind a portal provided for free, then starting to milk the users, is not enough for them... they will also fight dirty, really dirty.
anhldbk
Good finding. I don't see its timeline usually discussed in other Ethical hacking and responsible disclosures.
Havoc
Ugh. I know I’ve got at least some keys in those logs. Thankfully nothing too intense
danparsonson
Hopefully this is a lesson not to trust your sensitive private data with a public service?
b3ing
It seems fair since all the other AI's scraped copyrighted information, images, video online and from pirated books, etc. without ever asking anyone first.
This is probably an incredibly stupid, off-topic question, but why are their database schemas and logs in English?
Like, when a DeepSeek dev uses these systems as intended, would they also be seeing the columns, keys, etc. in English? Is there usually a translation step involved? Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
I'm realizing now that I'm very ignorant when it comes to non English-based software engineering.