Thousands of AI-built apps exposed sensitive corporate and personal data, researchers found
The article reports on findings by cybersecurity firm RedAccess regarding the exposure of sensitive corporate and personal data through AI-powered 'vibe-coding' tools. It includes specific examples of leaked data and presents conflicting perspectives from the security firm and the AI platform providers regarding the nature of the vulnerability and the disclosure process.
open_in_new
Read the original article: https://axios.com/2026/05/07/loveable-replit-vibe-coding-privacy
analyticsAnalysis
20%
Propaganda Score
confidence: 95%
Minor concerns. Some persuasive language detected, but largely factual.
psychologyDetected Techniques
warning
Loaded Language
80% confidence
Using words with strong emotional connotations to influence an audience.
warning
fact_checkFact-Check Results
19 claims extracted and verified against multiple sources including cross-references, web search, and Wikipedia.
schedule
Pending
9
info
Single Source
8
help
Insufficient Evidence
2
“Israeli cybersecurity firm RedAccess told Axios it found 380,000 publicly accessible assets built with tools from Lovable, Base44, Replit and Netlify”
SINGLE SOURCE
The claim is explicitly mentioned in an MSN snippet citing Axios, but no other independent news organization corroborates the specific number (380,000) or the specific list of tools in the provided evidence.
travel_explore
web search
NEUTRAL
— Driving the news: Israeli cybersecurity firm RedAccess told Axios it found 380,000 publicly accessible assets built with tools from Lovable, Base44, Replit and Netlify, including about 5,000 ...
https://www.msn.com/en-us/technology/software/thousands-of-a…
https://www.msn.com/en-us/technology/software/thousands-of-a…
travel_explore
web search
NEUTRAL
— Our research uncovered multiple critical vulnerabilities in Base44, an AI-powered platform that lets you turn any idea into a fully functional custom app. These flaws ranged from an open redirect that…
https://www.imperva.com/blog/critical-flaws-in-base44-expose…
https://www.imperva.com/blog/critical-flaws-in-base44-expose…
travel_explore
web search
NEUTRAL
— A mass Lovable breach disclosed April 20, 2026 exposed source code, DB credentials, AI chats, and customer data across every pre-November 2025 project. Full guide.
https://bastion.tech/blog/lovable-april-2026-data-breach/
https://bastion.tech/blog/lovable-april-2026-data-breach/
“including about 5,000 containing sensitive corporate data”
SINGLE SOURCE
The MSN snippet mentions 'including about 5,000', and another search result mentions 'Around 40 percent of the apps exposed sensitive data', but there is no second independent source confirming the specific figure of 5,000.
travel_explore
web search
NEUTRAL
— Around 40 percent of the apps exposed sensitive data, Zvi says, including medical information, financial data, corporate presentations, and strategy documents, as well as detailed logs of customer con…
https://www.wired.com/story/thousands-of-vibe-coded-apps-exp…
https://www.wired.com/story/thousands-of-vibe-coded-apps-exp…
travel_explore
web search
NEUTRAL
— Data leakage: Sensitive corporate data can be easily accessed and transferred to personal cloud storage or email accounts, increasing the risk of sensitive data falling into the wrong hands.
https://redaccess.io/byod-security-solutions/
https://redaccess.io/byod-security-solutions/
travel_explore
web search
NEUTRAL
— This millennium has seen the most advanced technological developments in human history, and the latest shift towards cloud-based technologies has changed the...
https://www.youtube.com/watch?v=g7JaN3rTK2A
https://www.youtube.com/watch?v=g7JaN3rTK2A
“privacy settings on some of the vibe-coding tools were set to make the apps publicly accessible unless users manually changed them to private”
SINGLE SOURCE
The provided web results for this claim are generic YouTube descriptions or guides on local LLMs and do not address the default privacy settings of 'vibe-coding' tools.
travel_explore
web search
NEUTRAL
— About Press Copyright Contact us Creators Advertise Developers Terms Privacy Policy & Safety How YouTube works Test new features.
https://www.youtube.com/watch?v=EH5jx5qPabU
https://www.youtube.com/watch?v=EH5jx5qPabU
travel_explore
web search
NEUTRAL
— Today, you can run surprisingly capable AI systems on a laptop or desktop, keep your data private, stay offline when needed, and avoid pay-per-token costs. This guide covers two things: The Top 5 tool…
https://dev.to/lightningdev123/top-5-local-llm-tools-and-mod…
https://dev.to/lightningdev123/top-5-local-llm-tools-and-mod…
travel_explore
web search
NEUTRAL
— Unlock more AI tools with : Web App Join Workik. Download Desktop App. Install VS Code Extension. This is exclusively available for Registered Users!. Sign-up to access cutting edge Workik AI Tools, f…
https://workik.com/ai-code-writer
https://workik.com/ai-code-writer
“Manyof these applications are also indexed by Google and similar search engines”
SINGLE SOURCE
The search results discuss Google indexing in general or Google Drive, but do not provide evidence that these specific AI-built applications are being indexed.
travel_explore
web search
NEUTRAL
— Картинки. Войти. Google. Расширенный поиск. Реклама Решения для бизнеса Всё о Google Google.ru.
https://www.google.com/
https://www.google.com/
travel_explore
web search
NEUTRAL
— Modern search engines (like Google, for example) increasingly use AI (AI Snippets, FAQ’s) to: Summarize indexed content. Answer questions using public documents. Generate overviews from multiple sourc…
https://www.docontrol.io/blog/google-drive-files-indexed-sea…
https://www.docontrol.io/blog/google-drive-files-indexed-sea…
travel_explore
web search
NEUTRAL
— Here's a short list of search engines that do not push AI in your face and instead go the old-school route with actual website results. A warning: Two of these search engines (Brave and DuckDuckGo) of…
https://www.zdnet.com/article/google-search-alternatives-no-…
https://www.zdnet.com/article/google-search-alternatives-no-…
“Axios independently verified multiple exposed apps this week, including: An app for a shipping company detailing which vessels are expected at which ports.”
SINGLE SOURCE
The search results provide general information about Maersk and shipping, but do not mention Axios verifying an exposed app for a shipping company.
travel_explore
web search
NEUTRAL
— With this vessel tracker you can monitor ship positions, vessel tracking, ship tracking, vessel position, vessels traffic, port activity in realtime map.Mobile Apps. List your Company. About. Terms of…
https://www.myshiptracking.com/
https://www.myshiptracking.com/
travel_explore
web search
NEUTRAL
— Find sailing schedules online with Maersk. Search our extensive routes via vessel schedules, port calls and more.
https://www.maersk.com/schedules/vesselSchedules
https://www.maersk.com/schedules/vesselSchedules
travel_explore
web search
NEUTRAL
— Quoting anonymous sources, Axios said the proposed wave of strikes would be likely to include infrastructure targets. Another plan focused on taking over part of the Strait of Hormuz so that it could …
https://www.bbc.com/news/articles/c5yv6xr6me3o
https://www.bbc.com/news/articles/c5yv6xr6me3o
“An internal application for a health company that details active clinical trials across the UK.”
SINGLE SOURCE
The search results discuss a specific clinical trial for SaNOtize and a security issue with the 'axios' npm package, but do not mention an exposed health company app detailing UK trials.
travel_explore
web search
NEUTRAL
— Trial concluded that treatment accelerated clearance of SARS-CoV-2 by a factor of 16-fold versus a placebo. Randomized, double-blind, placebo-controlled trial evaluated 79 confirmed cases of COVID-19,…
https://www.businesswire.com/news/home/20210315005197/en/UK-…
https://www.businesswire.com/news/home/20210315005197/en/UK-…
travel_explore
web search
NEUTRAL
— Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigatin…
https://www.stepsecurity.io/blog/axios-compromised-on-npm-ma…
https://www.stepsecurity.io/blog/axios-compromised-on-npm-ma…
travel_explore
web search
NEUTRAL
— Quora is a place to gain and share knowledge. It's a platform to ask questions and connect with people who contribute unique insights and quality answers. This empowers people to learn from each other…
https://www.quora.com/
https://www.quora.com/
“Full, unredacted customer service conversations for a cabinet supplier in the UK.”
SINGLE SOURCE
The search results discuss the UK Cabinet and unrelated unredacted photos, but do not mention a UK cabinet supplier's customer service conversations.
travel_explore
web search
NEUTRAL
— Explore unredacted files and discover hidden truths behind the Epstein scandal. Stay updated on political news related to Trump and Epstein.Victims' unredacted photos and full names exposed, risking t…
https://www.tiktok.com/discover/unredacted-photo
https://www.tiktok.com/discover/unredacted-photo
travel_explore
web search
NEUTRAL
— You can browse the list of Cabinet Ministers for His Majesty's Government below. They are ordered by Ministerial ranking. Prime Minister. Cabinet Office. Prime Minister and First Lord of the Treasury.
https://members.parliament.uk/Government/Cabinet
https://members.parliament.uk/Government/Cabinet
travel_explore
web search
NEUTRAL
— With Clayton’s extensive journalism experience, he isn’t afraid to demand the truth from authorities. Redacted is an independent platform, unencumbered by external factors or restrictive policies.
https://www.youtube.com/channel/UCoJhK5kMc4LjBKdiYrDtzlA
https://www.youtube.com/channel/UCoJhK5kMc4LjBKdiYrDtzlA
“Internal financial information for a Brazilian bank.”
SINGLE SOURCE
The search results provide general information about the news site Axios and the npm package, but no mention of exposed financial info for a Brazilian bank.
travel_explore
web search
NEUTRAL
— Axios (styled ΛXIOS in the logo) is an American news website based in Arlington, Virginia. It was founded in 2016 and launched the following year by former Politico journalists Jim VandeHei, Mike Alle…
https://en.m.wikipedia.org/wiki/Axios_(website)
https://en.m.wikipedia.org/wiki/Axios_(website)
travel_explore
web search
NEUTRAL
— Why it matters: The White House is waiting for Iran's response to a one-page memorandum of understanding (MOU) to end the war and set a framework for more detailed nuclear negotiations, as Axios first…
https://www.axios.com/
https://www.axios.com/
travel_explore
web search
NEUTRAL
— Promise based HTTP client for the browser and node.js. Latest version: 1.16.0, last published: 4 days ago. Start using axios in your project by running `npm i axios`. There are 176335 other projects i…
https://www.npmjs.com/package/axios
https://www.npmjs.com/package/axios
“RedAccess also found exposed applications that leaked customer data and personally identifiable information, including: Conversations with patients at a long-term care facility for children.”
INSUFFICIENT EVIDENCE
No evidence was found in the provided search results for this claim.
“A security company that used one of these platforms to triage information about ongoing incidents that their customers were facing.”
INSUFFICIENT EVIDENCE
No evidence was found in the provided search results for this claim.
“A personal app someone created to help plan a couple's vacation in Belgium, including details about their hotel and dinner reservations.”
PENDING
“An app for a hospital that had doctor and patient conversation summaries, patient complaints and staff schedules.”
PENDING
“An app created for a school that includes recordings of lessons, as well as student-related data and the teacher's schedule.”
PENDING
“In an X post on Tuesday, Replit CEO Amjad Masad claimed RedAccess only gave the company 24 hours before going to the press and did not share a list of impacted users.”
PENDING
“RedAccess shared its findings with Axios on Monday”
PENDING
“Lovable spokesperson Samyutha Reddy told Axios that the company is still investigating some of the reported lists”
PENDING
“Blake Brodie, a spokesperson for Base44, told Axios that RedAccess "deliberately withheld the URLs that would have allowed us to identify and examine the applications in question"”
PENDING
“two of the allegedly exposed applications were "deliberately set to public by their owners."”
PENDING
“RedAccess also found phishing sites built using Lovable that impersonated well-known brands, including Bank of America, FedEx, Trader Joe's and McDonald's.”
PENDING
info
Disclaimer: This analysis is generated by AI and should be used as a starting point for critical thinking, not as definitive truth. Claims are verified against publicly available sources. Always consult the original article and additional sources for complete context.