AI Coding Tools Expose Sensitive Data in Massive Security Oversight Israeli cybersecurity firm RedAccess uncovered over 380,000 publicly accessible applications built using low-code and AI-powered tools from Lovable, Base44, Replit, and Netlify, including roughly 5,000 containing sensitive corporate and personal data. The findings, shared with Axios on Monday, highlight how employees without cybersecurity training are inadvertently exposing confidential information through misconfigured privacy settings. RedAccess CEO Dor Zvi revealed the apps were discovered while investigating "shadow AI" unauthorized use of AI tools by employees. Many applications were set to public by default, requiring manual adjustments to restrict access. Some exposed data included: - Medical records (doctor-patient conversations, clinical trial details, hospital staff schedules) - Financial data (internal bank records, customer service logs) - Corporate intelligence (shipping vessel routes, internal incident reports) - Phishing sites impersonating brands like Bank of America, FedEx, and McDonald’s Representatives from the affected platforms responded with mixed reactions. Base44 accused RedAccess of withholding URLs needed for verification, while Lovable acknowledged the reports but noted they lacked technical specifics to act immediately. Replit emphasized that users control app visibility, with CEO Amjad Masad stating RedAccess gave only 24 hours’ notice before public disclosure. Netlify did not respond to requests for comment. Security researchers confirmed that many exposed apps were indexed by Google, making them easily discoverable. Axios independently verified several cases, including: - A hospital app with unredacted patient complaints and staff schedules - A Brazilian bank’s internal financial records - A school app containing lesson recordings and student data The incident underscores how AI-driven "vibe coding" tools designed for non-technical users are enabling rapid, large-scale data exposure. As Zvi noted, the lack of built-in safeguards means even basic security oversights can lead to unintentional public leaks of critical information. Some exposed apps were taken down after companies were notified, but the broader issue of unauthorized AI tool usage in enterprises remains unaddressed.

Lovable Denies Data Breach After User Exposes Security Flaw in AI Coding Platform Swedish no-code startup Lovable has refuted claims of a mass data breach after an anonymous user alleged that sensitive user information including chat histories, emails, names, and dates of birth was accessible through a security flaw. The incident surfaced on X (formerly Twitter) when the user demonstrated how they could view and download other customers’ project data, including full chat logs and website source code, simply by creating a free account. The user, who reported the bug 48 days prior, claimed Lovable had marked the issue as a duplicate and left it unresolved. Their post, viewed over 500,000 times by 6 PM BST, included screenshots appearing to confirm the exposure. Lovable responded hours later, denying a breach but acknowledging poor communication about data visibility settings. The company stated that while public project chats were once visible, this functionality had since been disabled though only for enterprise customers as of May 25, 2025. Founded in 2024, Lovable enables users to build apps and websites without coding, backed by $500 million in funding from investors like Accel, Creandum, and EQT. The incident coincides with the company’s recent partnership with security firm Aikido to offer penetration testing for user-built applications, as well as internal pressure to accelerate product updates amid reports that rival Anthropic is developing a competing tool.

Lovable Denies Data Breach After User Exposes Chat History Vulnerability Swedish no-code startup Lovable has refuted claims of a mass data breach after an anonymous user alleged that sensitive user information including chat histories, emails, names, and dates of birth was accessible through a security flaw. The user, who posted on X (formerly Twitter), stated they could view and download other customers' project data, including full chat logs, after creating a free account. The post, which gained over half a million views within hours, also claimed the vulnerability had been reported 48 days prior but remained unresolved, marked as a duplicate issue by the company. Lovable responded on X, denying a breach but acknowledging poor communication about data visibility settings. The company clarified that while chat messages for public projects were previously accessible, this functionality had been disabled for enterprise customers since May 25, 2025. Screenshots shared by the user appeared to confirm the exposure of sensitive data, including source code and personal details. Founded in 2024, Lovable enables users to build apps and websites without coding expertise and has raised over $500 million from investors such as Accel, Creandum, and EQT. The incident coincides with the company’s recent partnership with security firm Aikido to offer penetration testing for user-built applications, as well as internal efforts to roll out a product update amid reports that AI rival Anthropic is developing a competing tool.