Thousands of AI-Built Apps Found Leaking Sensitive Data Online
Thousands of web applications built using AI-powered development platforms are exposing sensitive corporate and personal data on the public internet, according to an investigation published Wednesday by Wired.
The report found that platforms including Lovable, Base44, Replit and Netlify — which use artificial intelligence to allow users to build functional web applications in seconds — have enabled widespread data exposures through misconfigurations inherent to so-called vibe-coding workflows.
Vibe coding, a term that has gained currency in the tech industry over the past year, refers to the practice of using AI tools to generate application code with minimal or no programming knowledge. The approach has fueled a boom in no-code and low-code development, with platforms marketing rapid app creation to non-technical users and small businesses.
The Wired investigation found a downside to these AI-assisted workflows: applications created through these processes frequently ship with fundamental security flaws, including misconfigured databases and exposed credentials, that leave sensitive information accessible to anyone on the open web.
The findings raise questions about liability for AI-assisted development platforms, particularly those marketed to users who may lack the technical expertise to identify and remediate security vulnerabilities. Replit and Netlify are both U.S.-based companies, and the data exposures documented in the report affect American corporate and personal data.
The scale of the problem could draw scrutiny from federal and state regulators. The Federal Trade Commission has historically taken enforcement action against companies whose lax security practices result in consumer data exposure, and state attorneys general have increasingly pursued similar cases under state consumer protection and data privacy statutes.
The investigation highlights a tension in the AI-powered development movement: the same ease of use that makes these platforms accessible to a broad audience also removes security guardrails that trained developers would typically implement.
Security researchers have warned that the rapid proliferation of AI-generated code — often deployed without meaningful code review or security testing — could produce large-scale data exposure incidents, according to prior industry reporting. The Wired investigation documented such exposures across thousands of applications.
None of the platforms named in the investigation had issued formal public statements in response to the report as of Wednesday evening.
