Thousands of AI-built apps exposed sensitive corporate and personal data, researchers found
headphones
Listen to the eFinder podcast briefing
Generate a natural audio summary of this story
Daily briefing
What to know about Shadow AI
The article reports on findings by cybersecurity firm RedAccess regarding the exposure of sensitive corporate and personal data through AI-powered 'vibe-coding' tools. It includes specific examples of leaked data and presents conflicting perspectives from the security firm and the AI platform providers regarding the nature of the vulnerability and the disclosure process.
Propaganda risk
20%
Claims checked
19
Techniques found
2
Topics
3
Coverage spectrum
Coverage gap: Low Left coverage3 sources compared across this story cluster. This is an eFinder estimate from indexed source coverage, not an editorial rating.
What happened
The AI coding tools letting anyone "build" software without engineering skills are also letting medical records, financial data and Fortune 500 internal docs leak onto the open web, security researchers say.
Why it matters
Why it matters: AI coding tools are enabling employees without engineering or cybersecurity training to publish internal tools publicly, often without company oversight or basic access controls.
Common ground
Driving the news: Israeli cybersecurity firm RedAccess told Axios it found 380,000 publicly accessible assets built with tools from Lovable, Base44, Replit and Netlify, including about 5,000 containing sensitive corporate data.
Perspective signals
The tension in the story is sharpened by Loaded Language, Appeal to Fear: language that can make the dispute feel more urgent, personal, or adversarial than the underlying facts alone.
Follow-up questions
- What new context would change how readers understand this Shadow AI story?
- What evidence would most clearly confirm or weaken the claim that two of the allegedly exposed applications were "deliberately set to public by their owners."?
- How does this story connect Shadow AI with Corporate Responsibility vs. User Error over the next few days?
The article reports on findings by cybersecurity firm RedAccess regarding the exposure of sensitive corporate and personal data through AI-powered 'vibe-coding' tools. It includes specific examples of leaked data and presents conflicting perspectives from the security firm and the AI platform providers regarding the nature of the vulnerability and the disclosure process.
open_in_new
Read the original article: https://axios.com/2026/05/07/loveable-replit-vibe-coding-privacy
analyticsAnalysis
20%
Propaganda Score
confidence: 95%
Minor concerns. Some persuasive language detected, but largely factual.
psychologyPropaganda Techniques Detected
eFinder identified 2 propaganda techniques in this article. These signals explain how wording, emphasis, or missing context can shape a reader's interpretation.
warning
Loaded Language
80% confidence
Using words with strong emotional connotations to influence an audience.
Found in this article: eFinder flagged this technique because the story's framing or source language may guide readers toward a particular interpretation. Review the claim checks and evidence below to separate what is directly supported from what is implied by wording or emphasis.
Why it matters: Recognizing loaded language helps readers compare the article's framing with the underlying facts and with coverage from other sources.
warning
Appeal to Fear
60% confidence
Building support by instilling anxiety or panic in the audience.
Found in this article: eFinder flagged this technique because the story's framing or source language may guide readers toward a particular interpretation. Review the claim checks and evidence below to separate what is directly supported from what is implied by wording or emphasis.
Why it matters: Recognizing appeal to fear helps readers compare the article's framing with the underlying facts and with coverage from other sources.
fact_checkClaims Checked
eFinder analyzed this article and checked 19 claims against available evidence, cross-references, web search, and Wikipedia. Here is what the fact-checking layer found.
schedule
Pending
9
info
Single Source
8
help
Insufficient Evidence
2
Claim 1: “two of the allegedly exposed applications were "deliberately set to public by their owners."”
PENDING
This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.
Claim 2: “RedAccess also found exposed applications that leaked customer data and personally identifiable information, including: Conversations with patients at a long-term care facility for children.”
INSUFFICIENT EVIDENCE
No evidence was found in the provided search results for this claim.
Claim 3: “Lovable spokesperson Samyutha Reddy told Axios that the company is still investigating some of the reported lists”
PENDING
This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.
Claim 4: “Full, unredacted customer service conversations for a cabinet supplier in the UK.”
SINGLE SOURCE
The search results discuss the UK Cabinet and unrelated unredacted photos, but do not mention a UK cabinet supplier's customer service conversations.
travel_explore
web search
NEUTRAL
— Explore unredacted files and discover hidden truths behind the Epstein scandal. Stay updated on political news related to Trump and Epstein.Victims' unredacted photos and full names exposed, risking t…
https://www.tiktok.com/discover/unredacted-photo
https://www.tiktok.com/discover/unredacted-photo
travel_explore
web search
NEUTRAL
— You can browse the list of Cabinet Ministers for His Majesty's Government below. They are ordered by Ministerial ranking. Prime Minister. Cabinet Office. Prime Minister and First Lord of the Treasury.
https://members.parliament.uk/Government/Cabinet
https://members.parliament.uk/Government/Cabinet
travel_explore
web search
NEUTRAL
— With Clayton’s extensive journalism experience, he isn’t afraid to demand the truth from authorities. Redacted is an independent platform, unencumbered by external factors or restrictive policies.
https://www.youtube.com/channel/UCoJhK5kMc4LjBKdiYrDtzlA
https://www.youtube.com/channel/UCoJhK5kMc4LjBKdiYrDtzlA
Claim 5: “An app created for a school that includes recordings of lessons, as well as student-related data and the teacher's schedule.”
PENDING
This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.
Claim 6: “An app for a hospital that had doctor and patient conversation summaries, patient complaints and staff schedules.”
PENDING
This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.
Claim 7: “Blake Brodie, a spokesperson for Base44, told Axios that RedAccess "deliberately withheld the URLs that would have allowed us to identify and examine the applications in question"”
PENDING
This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.
Claim 8: “An internal application for a health company that details active clinical trials across the UK.”
SINGLE SOURCE
The search results discuss a specific clinical trial for SaNOtize and a security issue with the 'axios' npm package, but do not mention an exposed health company app detailing UK trials.
travel_explore
web search
NEUTRAL
— Trial concluded that treatment accelerated clearance of SARS-CoV-2 by a factor of 16-fold versus a placebo. Randomized, double-blind, placebo-controlled trial evaluated 79 confirmed cases of COVID-19,…
https://www.businesswire.com/news/home/20210315005197/en/UK-…
https://www.businesswire.com/news/home/20210315005197/en/UK-…
travel_explore
web search
NEUTRAL
— Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigatin…
https://www.stepsecurity.io/blog/axios-compromised-on-npm-ma…
https://www.stepsecurity.io/blog/axios-compromised-on-npm-ma…
travel_explore
web search
NEUTRAL
— Quora is a place to gain and share knowledge. It's a platform to ask questions and connect with people who contribute unique insights and quality answers. This empowers people to learn from each other…
https://www.quora.com/
https://www.quora.com/
Claim 9: “Manyof these applications are also indexed by Google and similar search engines”
SINGLE SOURCE
The search results discuss Google indexing in general or Google Drive, but do not provide evidence that these specific AI-built applications are being indexed.
travel_explore
web search
NEUTRAL
— Картинки. Войти. Google. Расширенный поиск. Реклама Решения для бизнеса Всё о Google Google.ru.
https://www.google.com/
https://www.google.com/
travel_explore
web search
NEUTRAL
— Modern search engines (like Google, for example) increasingly use AI (AI Snippets, FAQ’s) to: Summarize indexed content. Answer questions using public documents. Generate overviews from multiple sourc…
https://www.docontrol.io/blog/google-drive-files-indexed-sea…
https://www.docontrol.io/blog/google-drive-files-indexed-sea…
travel_explore
web search
NEUTRAL
— Here's a short list of search engines that do not push AI in your face and instead go the old-school route with actual website results. A warning: Two of these search engines (Brave and DuckDuckGo) of…
https://www.zdnet.com/article/google-search-alternatives-no-…
https://www.zdnet.com/article/google-search-alternatives-no-…
Claim 10: “A personal app someone created to help plan a couple's vacation in Belgium, including details about their hotel and dinner reservations.”
PENDING
This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.
Claim 11: “RedAccess also found phishing sites built using Lovable that impersonated well-known brands, including Bank of America, FedEx, Trader Joe's and McDonald's.”
PENDING
This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.
Claim 12: “including about 5,000 containing sensitive corporate data”
SINGLE SOURCE
The MSN snippet mentions 'including about 5,000', and another search result mentions 'Around 40 percent of the apps exposed sensitive data', but there is no second independent source confirming the specific figure of 5,000.
travel_explore
web search
NEUTRAL
— Around 40 percent of the apps exposed sensitive data, Zvi says, including medical information, financial data, corporate presentations, and strategy documents, as well as detailed logs of customer con…
https://www.wired.com/story/thousands-of-vibe-coded-apps-exp…
https://www.wired.com/story/thousands-of-vibe-coded-apps-exp…
travel_explore
web search
NEUTRAL
— Data leakage: Sensitive corporate data can be easily accessed and transferred to personal cloud storage or email accounts, increasing the risk of sensitive data falling into the wrong hands.
https://redaccess.io/byod-security-solutions/
https://redaccess.io/byod-security-solutions/
travel_explore
web search
NEUTRAL
— This millennium has seen the most advanced technological developments in human history, and the latest shift towards cloud-based technologies has changed the...
https://www.youtube.com/watch?v=g7JaN3rTK2A
https://www.youtube.com/watch?v=g7JaN3rTK2A
Claim 13: “In an X post on Tuesday, Replit CEO Amjad Masad claimed RedAccess only gave the company 24 hours before going to the press and did not share a list of impacted users.”
PENDING
This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.
Claim 14: “RedAccess shared its findings with Axios on Monday”
PENDING
This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.
Claim 15: “privacy settings on some of the vibe-coding tools were set to make the apps publicly accessible unless users manually changed them to private”
SINGLE SOURCE
The provided web results for this claim are generic YouTube descriptions or guides on local LLMs and do not address the default privacy settings of 'vibe-coding' tools.
travel_explore
web search
NEUTRAL
— About Press Copyright Contact us Creators Advertise Developers Terms Privacy Policy & Safety How YouTube works Test new features.
https://www.youtube.com/watch?v=EH5jx5qPabU
https://www.youtube.com/watch?v=EH5jx5qPabU
travel_explore
web search
NEUTRAL
— Today, you can run surprisingly capable AI systems on a laptop or desktop, keep your data private, stay offline when needed, and avoid pay-per-token costs. This guide covers two things: The Top 5 tool…
https://dev.to/lightningdev123/top-5-local-llm-tools-and-mod…
https://dev.to/lightningdev123/top-5-local-llm-tools-and-mod…
travel_explore
web search
NEUTRAL
— Unlock more AI tools with : Web App Join Workik. Download Desktop App. Install VS Code Extension. This is exclusively available for Registered Users!. Sign-up to access cutting edge Workik AI Tools, f…
https://workik.com/ai-code-writer
https://workik.com/ai-code-writer
Claim 16: “Israeli cybersecurity firm RedAccess told Axios it found 380,000 publicly accessible assets built with tools from Lovable, Base44, Replit and Netlify”
SINGLE SOURCE
The claim is explicitly mentioned in an MSN snippet citing Axios, but no other independent news organization corroborates the specific number (380,000) or the specific list of tools in the provided evidence.
travel_explore
web search
NEUTRAL
— Driving the news: Israeli cybersecurity firm RedAccess told Axios it found 380,000 publicly accessible assets built with tools from Lovable, Base44, Replit and Netlify, including about 5,000 ...
https://www.msn.com/en-us/technology/software/thousands-of-a…
https://www.msn.com/en-us/technology/software/thousands-of-a…
travel_explore
web search
NEUTRAL
— Our research uncovered multiple critical vulnerabilities in Base44, an AI-powered platform that lets you turn any idea into a fully functional custom app. These flaws ranged from an open redirect that…
https://www.imperva.com/blog/critical-flaws-in-base44-expose…
https://www.imperva.com/blog/critical-flaws-in-base44-expose…
travel_explore
web search
NEUTRAL
— A mass Lovable breach disclosed April 20, 2026 exposed source code, DB credentials, AI chats, and customer data across every pre-November 2025 project. Full guide.
https://bastion.tech/blog/lovable-april-2026-data-breach/
https://bastion.tech/blog/lovable-april-2026-data-breach/
Claim 17: “Internal financial information for a Brazilian bank.”
SINGLE SOURCE
The search results provide general information about the news site Axios and the npm package, but no mention of exposed financial info for a Brazilian bank.
travel_explore
web search
NEUTRAL
— Axios (styled ΛXIOS in the logo) is an American news website based in Arlington, Virginia. It was founded in 2016 and launched the following year by former Politico journalists Jim VandeHei, Mike Alle…
https://en.m.wikipedia.org/wiki/Axios_(website)
https://en.m.wikipedia.org/wiki/Axios_(website)
travel_explore
web search
NEUTRAL
— Why it matters: The White House is waiting for Iran's response to a one-page memorandum of understanding (MOU) to end the war and set a framework for more detailed nuclear negotiations, as Axios first…
https://www.axios.com/
https://www.axios.com/
travel_explore
web search
NEUTRAL
— Promise based HTTP client for the browser and node.js. Latest version: 1.16.0, last published: 4 days ago. Start using axios in your project by running `npm i axios`. There are 176335 other projects i…
https://www.npmjs.com/package/axios
https://www.npmjs.com/package/axios
Claim 18: “Axios independently verified multiple exposed apps this week, including: An app for a shipping company detailing which vessels are expected at which ports.”
SINGLE SOURCE
The search results provide general information about Maersk and shipping, but do not mention Axios verifying an exposed app for a shipping company.
travel_explore
web search
NEUTRAL
— With this vessel tracker you can monitor ship positions, vessel tracking, ship tracking, vessel position, vessels traffic, port activity in realtime map.Mobile Apps. List your Company. About. Terms of…
https://www.myshiptracking.com/
https://www.myshiptracking.com/
travel_explore
web search
NEUTRAL
— Find sailing schedules online with Maersk. Search our extensive routes via vessel schedules, port calls and more.
https://www.maersk.com/schedules/vesselSchedules
https://www.maersk.com/schedules/vesselSchedules
travel_explore
web search
NEUTRAL
— Quoting anonymous sources, Axios said the proposed wave of strikes would be likely to include infrastructure targets. Another plan focused on taking over part of the Strait of Hormuz so that it could …
https://www.bbc.com/news/articles/c5yv6xr6me3o
https://www.bbc.com/news/articles/c5yv6xr6me3o
Claim 19: “A security company that used one of these platforms to triage information about ongoing incidents that their customers were facing.”
INSUFFICIENT EVIDENCE
No evidence was found in the provided search results for this claim.
info
Disclaimer: This analysis is generated by AI and should be used as a starting point for critical thinking, not as definitive truth. Claims are verified against publicly available sources. Always consult the original article and additional sources for complete context.