Researchers find 380K vibe‑coded apps

The story here is not that AI wrote some buggy code. The story is that AI app builders are making it absurdly easy to publish software before anyone thinks about access control. RedAccess, an Israeli security startup, says it identified about 380,000 publicly accessible apps and related assets built with tools like Lovable, Replit, Base44, and Netlify, and about 5,000 of them exposed sensitive data. Some of the examples included medical conversations, financial records, and internal business documents. ### What is a “vibe-coded” app? Basically, it is an app built mostly by prompting an AI tool in plain English instead of writing and reviewing the code line by line. That is the appeal — faster prototypes, less engineering friction, and a much lower bar for who can ship software. But the catch is obvious once you say it out loud: if the builder does not really understand auth, storage, and permissions, the app can go live with those parts half-baked. (securityboulevard.com) ### What did RedAccess actually find? RedAccess says the scan covered publicly reachable applications and related infrastructure created with popular AI-assisted development tools. Out of that pool, roughly 5,000 contained sensitive corporate or private information. The share sounds small at about 1.3%, but at this scale that still means thousands of live exposures sitting on the open web. (upguard.com) ### What kind of data was exposed? Not toy-demo stuff. The reported examples included a shipping company app showing vessel and port details, internal financial information for a Brazilian bank, unredacted customer service chats, patient conversations at a long-term care facility, and hospital summaries of doctor-patient conversations and complaints. Axios reportedly verified several of the exposed apps independently, which is what makes this feel less like a theoretical lab exercise and more like a real operational mess. (securityboulevard.com) ### Why does “no authentication” matter so much? Because this is the boring, ancient failure mode that every security team already knows — a thing is online, indexed or guessable, and nobody put a lock on it. That is why people are comparing it to the old S3 bucket era. The novelty is not the bug class. The novelty is the production rate. AI builders can generate and publish apps far faster than normal review processes can catch them. (securityboulevard.com) ### Is this the tools’ fault? Partly, but not cleanly. Reports around the findings point to default public settings and weak governance as major reasons these apps were reachable in the first place. That suggests a mix of product design choices, careless deployment, and companies letting employees use AI builders without security guardrails. In other words, the problem is not just bad code — it is bad publishing hygiene at scale. (martincid.com) ### Why is this showing up now? Because vibe coding has gone from novelty to mainstream workflow very fast. Lovable, Replit, and similar tools are growing quickly, and even platform owners have started reacting to the flood. Apple has already been taking a tougher line on some vibe-coding apps in the App Store, which is a sign that distribution platforms see quality and safety problems piling up. (msn.com) ### So what changes next? The obvious fix is not “stop using AI to code.” It is to treat AI-built apps like any other production system — private by default, auth turned on, secrets scanned, and exposure monitored continuously. The bigger shift is cultural. Shadow AI used to mean someone pasting a document into a chatbot. Now it can mean an employee quietly launching a live app that leaks customer data. (techcrunch.com) ### Bottom line? This is less a weird AI story than a familiar security story with a turbocharger attached. Vibe coding did not invent sloppy access control. It just made it possible to mass-produce it. (venturebeat.com)