AI Coding Tools Expose Sensitive Data in Massive Security Oversight Israeli cybersecurity firm RedAccess uncovered over 380,000 publicly accessible applications built using low-code and AI-powered tools from Lovable, Base44, Replit, and Netlify, including roughly 5,000 containing sensitive corporate and personal data. The findings, shared with Axios on Monday, highlight how employees without cybersecurity training are inadvertently exposing confidential information through misconfigured privacy settings. RedAccess CEO Dor Zvi revealed the apps were discovered while investigating "shadow AI" unauthorized use of AI tools by employees. Many applications were set to public by default, requiring manual adjustments to restrict access. Some exposed data included: - Medical records (doctor-patient conversations, clinical trial details, hospital staff schedules) - Financial data (internal bank records, customer service logs) - Corporate intelligence (shipping vessel routes, internal incident reports) - Phishing sites impersonating brands like Bank of America, FedEx, and McDonald’s Representatives from the affected platforms responded with mixed reactions. Base44 accused RedAccess of withholding URLs needed for verification, while Lovable acknowledged the reports but noted they lacked technical specifics to act immediately. Replit emphasized that users control app visibility, with CEO Amjad Masad stating RedAccess gave only 24 hours’ notice before public disclosure. Netlify did not respond to requests for comment. Security researchers confirmed that many exposed apps were indexed by Google, making them easily discoverable. Axios independently verified several cases, including: - A hospital app with unredacted patient complaints and staff schedules - A Brazilian bank’s internal financial records - A school app containing lesson recordings and student data The incident underscores how AI-driven "vibe coding" tools designed for non-technical users are enabling rapid, large-scale data exposure. As Zvi noted, the lack of built-in safeguards means even basic security oversights can lead to unintentional public leaks of critical information. Some exposed apps were taken down after companies were notified, but the broader issue of unauthorized AI tool usage in enterprises remains unaddressed.

Vietnamese-Linked Phishing Operation Hijacks 30,000 Facebook Accounts via Google AppSheet A newly uncovered cybercriminal operation, dubbed AccountDumpling by Guardio Labs, has exploited Google AppSheet as a phishing relay to compromise approximately 30,000 Facebook accounts. The campaign, attributed to Vietnamese threat actors, targets business account owners with deceptive emails impersonating Meta Support, warning of imminent account deletion unless users submit an appeal. The attack begins with phishing emails sent from a Google AppSheet address ([email protected]), bypassing spam filters by leveraging the platform’s legitimacy. Victims are directed to fake Meta-branded pages hosted on Netlify, Vercel, or disguised as Google Drive PDFs where they are tricked into entering credentials, two-factor authentication (2FA) codes, government ID photos, and other sensitive data. Stolen information is exfiltrated to attacker-controlled Telegram channels, which collectively hold records from victims across the U.S., Italy, Canada, the Philippines, and other countries. The operation employs multiple lures, including: - Fake Meta appeals (e.g., account disablement, copyright complaints, or verification reviews). - Blue badge evaluation scams, using bogus CAPTCHA checks to harvest credentials. - Google Drive-hosted PDFs (created via Canva) that mimic verification instructions. - Fake job offers impersonating companies like Meta, WhatsApp, and Adobe to build trust before redirecting victims to malicious sites. Metadata from the Canva-generated PDFs led researchers to a Vietnamese individual, PHẠM TÀI TÂN, whose website (phamtaitan[.]vn) advertises digital marketing services. Open-source intelligence suggests the operation is part of a broader underground economy where stolen Facebook accounts along with associated ad reputations and recovery access are monetized through illicit storefronts. The campaign reflects a growing trend of Vietnamese threat actors repurposing trusted platforms (e.g., Google AppSheet, Netlify, Vercel) to scale phishing attacks, highlighting the commodification of compromised social media assets in cybercrime markets.