Over 5,000 applications built using "vibe coding" tools like Lovable and Replit are currently exposing sensitive personal and corporate data to the open web. Security researcher Dor Zvi discovered that these AI-generated apps often lack necessary security guardrails, leaking medical records, financial data, and confidential strategy documents without the knowledge of the organizations involved. Because many of these projects are created by employees experimenting with rapid AI development, the companies themselves may be entirely unaware that their proprietary information is being indexed online.
The breach includes a wide range of high-risk materials: detailed customer chatbot logs, corporate presentations, and internal strategy docs. This highlights a growing security gap where ease of use in AI development outpaces data protection standards. Organizations must account for several high-risk exposures identified in these vibe-coded apps:
- Unsecured API keys and backend credentials.
- Publicly accessible databases containing private user conversations.
- Unencrypted document storage hosting sensitive corporate files and medical info.
