DeepSeek’s Early‑Year Security Fallout: A Post‑Mortem

1. Opening: The Security Pain of a Fast‑Growing AI Star

DeepSeek’s R1 model gained rapid popularity before the 2025 Chinese New Year, offering performance comparable to OpenAI at a low price, which attracted massive user traffic. Simultaneously, a cascade of security incidents began to surface.

Database Exposure

Wiz Research’s internet‑asset scan discovered two subdomains exposing a ClickHouse database without authentication, containing over one million rows of logs, user chat histories, API keys, backend operation data, and other sensitive information.

ClickHouse’s default configuration binds to localhost and has no authentication unless manually set; exposing ports 8123 (HTTP) and 9000 (Native) to the public makes the database fully open.

Chat History Transparency

The exposed database leaked user conversations, API credentials, and full backend control data.

Multiple XSS Vulnerabilities

Two DOM‑based XSS flaws were found in January and February 2025, stemming from improper handling of postMessage events—messages were accepted without origin verification and injected directly into the DOM, enabling script execution and potential account takeover.

DDoS Attack

During the Chinese New Year period, DeepSeek’s website suffered a large‑scale traffic attack, causing intermittent service outages.

Korean Market Suspension

On February 15, 2025, Korea’s Personal Information Protection Committee halted new user downloads of DeepSeek’s app due to “security risks in data collection,” while existing users remained active.

2. First Explosion: ClickHouse Database “Naked” Exposure

2.1 Incident Reconstruction

Wiz Research reported that an internet‑asset scan identified two subdomains with ports that allowed unauthenticated access to a ClickHouse instance, granting anyone full query and control capabilities.

2.2 Configuration as Security

ClickHouse’s default listen_host is localhost; if not changed to 127.0.0.1 or an internal address, it may bind to the public network. Additionally, authentication is disabled by default, so exposing the service ports results in a “naked” database.

The root cause was DeepSeek’s prioritization of rapid development over security hardening.

3. Second Explosion: Chain of XSS Flaws

3.1 PostMessage Trust Issue

The platform used postMessage without validating the message’s origin, directly writing received content to the page via document.write, enabling attackers to inject malicious scripts.

3.2 Patch Lag

January 31 2025 – First XSS discovered.

February 1 2025 – Official fix deployed.

Same day – A second XSS vulnerability uncovered.

This pattern shows that ad‑hoc patches cannot keep pace with emerging flaws; a systematic security development lifecycle is required.

4. Third Explosion: Model‑Level Threats

4.1 Gradient‑Reversal Backdoor Injection

APT actors performed gradient‑reversal attacks during a 72‑hour fine‑tuning window, inserting a hidden backdoor that increased error rates for politically sensitive prompts by 47%.

4.2 Model Inversion and Data Recovery

Attackers reconstructed approximately 1.2 TB of training data, including 300 000 records, by exploiting model confidence scores, demonstrating severe data‑privacy risks.

Defensive measures suggested include zero‑trust fine‑tuning environments, model weight signing, integrity verification, and regular red‑team adversarial testing.

5. Fourth Explosion: Regulatory and Brand Fallout

5.1 Korean Regulatory Action

From February 15 2025, the Korean regulator suspended new downloads of DeepSeek’s app, citing security concerns, while existing users were advised to avoid entering sensitive information.

5.2 Phishing via Impersonation Sites

Following DeepSeek’s surge in popularity, counterfeit websites proliferated to defraud users, illustrating the “brand‑boom security shadow” effect.

6. Reflection: Aligning AI Development with Security

6.1 Asymmetric Security Investment

Compared with Anthropic and OpenAI, which treat security as a “nuclear‑level” task, DeepSeek’s incidents expose a security debt caused by prioritizing speed over protection.

6.2 From Lab Mindset to Production‑Grade Security

Key differences:

Lab mindset: “demo only”, “launch first”, “fix later”.

Production security: verify every port’s bind address, validate all inputs, ensure trusted supply‑chain for model training, and audit model outputs.

6.3 Innovative Defense: Dual‑Channel Verification

A “dual‑channel verification system” cross‑checks model outputs against an authoritative knowledge graph; outputs with cosine similarity below 0.7 trigger manual review, reducing error‑report rates from 12 % to 0.3 % in financial stress‑testing.

7. Conclusion

The DeepSeek security saga underscores that AI progress must be matched by robust, multi‑layered security practices; otherwise, rapid user growth becomes a liability.