A cybersecurity firm this week published findings that thousands of web applications built with AI coding tools are sitting on the open internet with virtually no security controls - and among the data spilling out are detailed advertising purchasing records, go-to-market strategy documents, chatbot conversation logs, and customer contact information belonging to companies that may not even know the exposure exists.

The research, conducted by Dor Zvi and his team at RedAccess and reported by WIRED on May 7, 2026, examined thousands of applications created using four widely used AI-assisted development platforms: Lovable, Replit, Base44, and Netlify. The researchers identified more than 5,000 of those apps as having essentially no authentication or security controls of any kind. Of that group, close to 2,000 appeared to expose genuinely private data - corporate or personal - to anyone who typed the correct URL into a browser.

"The end result is that organizations are actually leaking private data through vibe-coding applications," according to Zvi. "This is one of the biggest events ever where people are exposing corporate or other sensitive information to anyone in the world."

What researchers found, and how they found it

The method RedAccess used to locate vulnerable applications was, by Zvi's own account, straightforward. Lovable, Replit, Base44, and Netlify all allow users to host their web applications on those companies' own domains by default, rather than requiring a separately purchased domain. Knowing that, the RedAccess team ran searches on Google and Bing using those AI companies' domains combined with additional search terms. The searches surfaced thousands of accessible apps almost immediately.

Of the 5,000 apps the team identified as publicly accessible, RedAccess reviewed nearly 2,000 more closely and found what appeared to be real private data. Screenshots shared with WIRED - several of which the publication independently verified were still live and accessible at the time of reporting - showed a hospital's internal work assignment records including the personally identifiable information of doctors, a company's detailed advertising purchase data, what appeared to be another firm's go-to-market strategy presentation, a retailer's full chatbot conversation logs including customers' full names and contact information, a shipping company's cargo records, and a range of sales and financial records from other businesses.

The variety of exposed data is significant for the marketing industry. Advertising strategy documents, campaign purchase records, and customer chatbot logs represent precisely the category of competitive and regulatory information that companies invest heavily to protect. The exposure of ad purchasing data, in particular, could reveal campaign budgets, targeting approaches, platform mix, and seasonal strategies to any competitor who discovers the correct URL.

Some of the exposed apps went further than simply surfacing records. According to Zvi, a small number of the applications he found would have allowed an outside visitor to gain administrative privileges over backend systems - and in certain cases, to remove other administrators entirely. That represents a severity far beyond data visibility, potentially giving unauthorized parties control over live operational systems.

Beyond data exposure, RedAccess found numerous examples of phishing sites hosted on Lovable's own domain. According to the report, these sites impersonated major corporations including Bank of America, Costco, FedEx, Trader Joe's, and McDonald's - and appeared to have been built using Lovable's AI coding tools, then left on Lovable's domain infrastructure.

The platforms respond

WIRED contacted all four companies named in the research. Netlify did not respond. The three remaining companies - Replit, Lovable, and Base44 - each pushed back on aspects of the findings, though none denied that the apps RedAccess identified were in fact accessible.

Replit's CEO Amjad Masad acknowledged the core claim without conceding a systemic failure. According to Masad's post on X, "From the limited information they shared, [RedAccess's] core claim appears to be that some users have published apps on the open web that should've been private. Replit allows users to choose whether apps are public or private. Public apps being accessible on the internet is expected behavior. Privacy settings can be changed at any time with a single click."

Lovable issued a statement acknowledging the seriousness of the findings while emphasizing user responsibility. According to a company spokesperson, "Lovable takes reports of exposed data and phishing sites seriously, and we're actively working to obtain what we need to investigate. We're treating this as an ongoing matter. It's also worth noting that Lovable gives builders the tools to build securely, but how an app is configured is ultimately the creator's responsibility."

Base44's parent company Wix responded through head of public relations Blake Brodie. According to Brodie, "Base44 provides users with robust tools to configure their own applications' security, including access controls and visibility settings." She added that "disabling those controls is a deliberate, straightforward action, any user can do it. Where applications were publicly accessible, that reflects a user configuration choice, not a platform vulnerability."

Wix also raised questions about the validity of RedAccess's examples directly: "It is trivially easy to fabricate applications that appear to contain real user data. Without a single verified example provided to us, we have no way to assess the validity of these claims."

RedAccess disputed Wix's claim that no examples had been provided. The firm shared with WIRED what it described as anonymized communications showing Base44 users thanking RedAccess researchers for alerting them to exposed apps - apps which were subsequently secured or taken offline. For a few dozen of the exposed applications, the firm says it contacted the apparent owner directly, and in those cases the owner confirmed data had in fact been exposed.

Verification challenges and broader context

Independently confirming data exposure in AI-built applications is genuinely difficult. Security researcher Joel Margolis, who recently uncovered a separate case where an AI chat toy exposed 50,000 conversations children had with the product on a publicly accessible website with essentially no security controls, noted that data inside a vibe-coded app might be placeholder content, a proof of concept, or synthetic test data. Wix's Brodie argued that two examples shared with Base44 by WIRED appeared to be test sites or contain AI-generated data. WIRED stated that, for the apps it reviewed, it could not confirm with certainty that the personal or corporate data was as sensitive or real as it appeared.

Margolis nevertheless said the underlying problem is real and widespread. "Somebody from a marketing team wants to create a website. They're not an engineer and they probably have little to no security background or knowledge," according to Margolis. These tools, he added, "do what you ask them to do. And unless you ask them to do it securely, they're not going to go out of their way to do that."

That observation lands with particular weight for the advertising and marketing industries, where teams outside of engineering - account managers, strategists, media planners - are increasingly using AI tools to build internal dashboards, reporting applications, and client-facing portals. The consumer trust crisis already documented in digital marketing adds another layer: the same audiences whose trust brands are trying to earn are the ones whose data could be sitting in an unsecured app.

The scale beyond what was measured

The 5,000 apps figure Zvi's team produced represents only those hosted on the AI coding platforms' own domains. Zvi explicitly noted that likely thousands more apps built with these same tools are hosted on users' own purchased domains - domains that standard searches for the AI companies' infrastructure would not surface.

He drew a comparison to an earlier wave of corporate data exposure: the epidemic of misconfigured Amazon S3 storage buckets that, in earlier years, left sensitive data from companies including Verizon and World Wrestling Entertainment publicly accessible. That situation arose from a combination of user error and confusing default security settings. Many in the security industry at the time partially attributed the scale of the problem not only to individual mistakes but to Amazon's interface design choices that made misconfiguration easy and common.

Zvi sees the same dynamic at work now. AI-powered app development tools have lowered the barrier to building and deploying web applications so far that an entirely new class of application creator has emerged - people within organizations who have no software development background and no familiarity with how authentication, access controls, or data exposure work.

"Anyone from your company at any moment can generate an app, and this is not going through any development cycle or any security check," according to Zvi. "People can just start using it in production without asking anyone. And they do."

This is the mechanism that makes the problem structurally different from traditional software security failures. It is not that developers wrote insecure code and shipped it anyway. It is that the definition of who constitutes a developer has expanded, seemingly overnight, to include anyone with a browser and a request to type.

What this means for marketing teams specifically

For advertising and marketing professionals, the implications extend beyond general data privacy risk. Gartner has forecast that nearly 80 percent of business users could be building their own applications by 2026, according to commentary shared in the LinkedIn discussion thread around this research. GitHub code commits, another measure of AI-assisted development activity, have reportedly been tracking toward 14 billion for the current year - compared to 1 billion in 2025. These numbers suggest that the scale of AI-generated application deployment is accelerating rapidly, not contracting.

Within agencies and in-house marketing teams, vibe coding tools have been embraced precisely because they remove dependence on engineering backlogs. A media planner can build a campaign reporting tool in an afternoon. A strategist can create a client-facing portal without filing a ticket. That speed creates real productivity gains - but it also means those applications bypass the review processes that engineering and security teams normally apply before production deployment.

PPC Land has tracked the broader context of AI privacy risks in digital advertising, including a class action lawsuit filed in March 2026 alleging that Perplexity AI secretly forwarded user conversations to Google and Meta through embedded tracking pixels. The DOJ has also argued in federal court that conversations with commercial AI platforms lack legal privilege protection, establishing a precedent that has implications for how sensitive professional discussions conducted via AI tools are treated under law.

The RedAccess findings add a different dimension to that landscape: not AI companies harvesting user data, but companies inadvertently publishing their own data through AI-built tools with no security configuration at all.

Advertising purchasing data carries particular sensitivity. Campaign budgets, platform allocations, audience targeting parameters, and seasonal flight schedules are treated as confidential competitive intelligence inside most organizations. A go-to-market strategy document of the type reportedly found in some of the exposed apps typically represents months of planning and is subject to strict distribution controls within even relatively small companies. The retail chatbot conversation logs that RedAccess described - containing customers' full names and contact information - could constitute a personal data breach under GDPR and similar regulations, with associated notification obligations and potential fines.

The shift toward first-party data and privacy-preserving infrastructure that the advertising industry has been building over the past several years - clean rooms, publisher advertiser identity reconciliation, privacy sandbox APIs - represents considerable investment aimed at protecting consumer data within formal advertising systems. That investment does not extend to informal applications built by non-technical staff in an afternoon and hosted on a third-party domain with default public settings.

Who is responsible

The platforms, for their part, have positioned this primarily as a user configuration issue. Their responses emphasize that public versus private settings exist and are accessible. That framing has precedent - cloud storage providers made similar arguments during the S3 misconfiguration wave - but it has also drawn similar criticism. When thousands of users make the same mistake in the same direction, the design of the default settings becomes part of the analysis.

Margolis's framing is more direct: these tools "do what you ask them to do," and most people asking them to build applications are not asking for security controls they do not know to request. The responsibility question, in that reading, sits somewhere between the platforms' default configurations and the organizational processes - or absence thereof - that govern how AI-built tools reach production.

For the marketing and advertising industry specifically, that organizational gap may be the most actionable finding. Engineering and security review processes exist in most companies of meaningful size, but they were built around the assumption that application development is something engineers do. The proliferation of AI-assisted tools has outpaced the governance structures designed to catch insecure deployments before they go live.

Timeline

  • Early 2020s: Amazon S3 storage bucket misconfigurations expose sensitive data from major corporations including Verizon and World Wrestling Entertainment, establishing a precedent for large-scale data exposure caused by default settings and user error rather than active hacking.
  • 2024: Vibe coding gains significant traction as AI coding tools from platforms including Lovable, Replit, Base44, and Netlify enable non-technical users to build and deploy web applications in minutes.
  • October 26, 2025: Google AI Studio introduces vibe coding features, further mainstreaming AI-assisted application development within the technology industry.
  • March 31, 2026: A class action complaint is filed in the US District Court for the Northern District of California alleging Perplexity AI secretly shared user conversations with Google and Meta through embedded tracking pixels, as covered by PPC Land.
  • Monday, approximately May 4, 2026: RedAccess contacts Lovable, Replit, Base44, and Netlify to share findings about exposed applications and request responses.
  • May 7, 2026: WIRED publishes the RedAccess research, authored by senior writer Andy Greenberg, reporting that more than 5,000 vibe-coded applications built with AI tools from Lovable, Replit, Base44, and Netlify were found with essentially no security or authentication. Close to 2,000 of those apps appeared to expose sensitive personal or corporate data, including advertising purchasing records, go-to-market strategies, medical personnel information, and customer chatbot logs.
  • May 7, 2026: Replit CEO Amjad Masad responds on X, acknowledging that some users published apps that should have been private but framing public accessibility as expected behavior for apps users choose to make public.
  • May 7, 2026: Lovable issues a statement saying it is treating the matter as ongoing and working to investigate.
  • May 7, 2026: Wix, parent company of Base44, disputes that verified examples were provided and argues that any exposed apps reflect deliberate user configuration choices rather than platform vulnerabilities.

Summary

Who: Dor Zvi and his team at RedAccess, a cybersecurity firm, conducted the research. The affected platforms are Lovable, Replit, Base44 (owned by Wix), and Netlify. The exposed data belongs to organizations that used these tools to build internal or client-facing web applications. Security researcher Joel Margolis provided independent commentary on the scope of the problem.

What: RedAccess identified more than 5,000 web applications built using AI coding tools that had virtually no security or authentication controls, leaving them publicly accessible to anyone with the correct URL. Close to 2,000 of those apps appeared to expose sensitive private data. Exposed information included a hospital's work assignment records with doctor PII, detailed advertising purchasing information, go-to-market strategy presentations, retailer chatbot logs containing customer names and contact details, cargo records, and financial data. Some apps would have allowed visitors to gain administrative access to backend systems. Dozens of phishing sites impersonating major brands were also found hosted on Lovable's domain.

When: The WIRED report was published on May 7, 2026. RedAccess says it contacted the four platforms on the Monday of the week of publication. The underlying application deployments span the period during which vibe coding tools gained widespread adoption, primarily 2024 through early 2026.

Where: The exposed applications are hosted on the public web, primarily on domains operated by Lovable, Replit, Base44, and Netlify. Zvi noted that additional exposed applications built with these tools but hosted on users' own domains were not captured in the 5,000 figure. The research was conducted by RedAccess, a cybersecurity firm.

Why: AI-powered development tools have lowered the barrier to building and deploying web applications to the point that non-technical employees within organizations can create and publish apps without any involvement from engineering or security teams. These employees typically lack the background to configure authentication or access controls, and the tools do not enforce security settings by default. The result is a new category of data exposure that bypasses existing corporate security review processes entirely - occurring not through hacking, but through accidental publication.

Share this article
The link has been copied!