The no-code revolution just gave every product manager the power to build what IT would've said no to, and nobody bothered to build the firewall.
The Summary
- Israeli cybersecurity firm RedAccess found 380,000 publicly accessible apps, databases, and infrastructure built with AI-powered vibe coding tools, with roughly 5,000 exposing sensitive corporate data on the open web.
- Exposed assets include shipping manifests, clinical trial records, patient conversations, and unredacted customer service logs, all built by non-technical employees using platforms like Lovable, Replit, and Base44.
- 1.3% exposure rate sounds small until you realize that's 5,000 live security incidents no CISO knew existed.
- The gap: enterprise security was built to protect servers and endpoints, not weekend projects deployed on public URLs and indexed by Google.
The Signal
RedAccess CEO Dor Zvi wasn't looking for a crisis when his team started researching shadow AI. They were trying to help clients understand exposure from vibe coding tools. What they found was 380,000 publicly accessible assets built with platforms that let anyone spin up a functioning web app in seconds. About 5,000 of those apps were leaking data that would make a compliance officer resign on the spot.
Axios and Wired independently verified multiple exposures. The list reads like a shadow IT horror show: a shipping company's app showing which vessels were arriving at which ports. An internal health company tool listing active clinical trials across the U.K. A British cabinet supplier's customer service logs, fully unredacted, sitting on the open web. Internal financials for a Brazilian bank accessible to anyone with the URL.
"None of enterprise security was built to find a customer intake form that a product manager vibe coded on Lovable over a weekend."
The pattern is consistent. Someone in operations or customer success has a workflow problem. IT says it'll take six months. They discover Lovable or Replit can build them a form connected to a Supabase database in an afternoon. They deploy it on Netlify. It works. They share the link internally. Then Google indexes it. Then RedAccess finds it.
The exposed data includes patient conversations at a children's long-term care facility, hospital doctor-patient summaries, incident response records at a security company, and ad purchasing strategies. These aren't toy projects. They're mission-critical tools built outside every control framework the company spent years implementing.
Key exposure categories:
- Healthcare: patient records, doctor summaries, long-term care communications
- Financial: bank internals, transaction data
- Operations: shipping manifests, supply chain details
- Security: incident response logs, internal investigations
- Marketing: ad strategies, customer conversations
The vibe coding platforms aren't the villains here. They're doing exactly what they promised: democratizing software development. The problem is that democratization arrived faster than governance could adapt. Companies spent the last decade hardening their AWS environments and rolling out zero-trust architectures. Meanwhile, their operations team built 47 internal tools on platforms the security team doesn't even know how to scan.
This is the S3 bucket crisis all over again, but worse. At least S3 misconfigurations happened within AWS, where security teams had visibility. These vibe-coded apps live outside the perimeter entirely, deployed on third-party platforms, connected to databases the IT department never provisioned, handling data flows nobody documented.
The Implication
If you're a CISO, the audit you need to run this quarter isn't for misconfigured cloud storage. It's for apps you don't know exist. Start by asking department heads what tools they built or commissioned outside IT. Check whether your company has accounts on Lovable, Replit, Base44, or similar platforms. Look for Netlify deployments tied to corporate email domains. Assume that 1-2% of what you find is leaking something material.
For companies building AI coding tools, this is your liability moment. The platforms that make governance and access control optional will face the first major lawsuit. The ones that build compliance guardrails into the product will survive. Build the audit trail now, before regulation forces it.