Building a fully functional app used to take months and a team of developers. Today, anyone with a good idea and an internet connection can build one in an afternoon using AI. No coding experience required.
This approach is called vibe coding, and it is taking off fast. But as its popularity grows, so does a serious problem: many of these AI-built apps are being launched with little to no security, and real businesses are paying the price.
If you have already built an app this way, or you are planning to, this is worth reading before you go any further.
What Is Vibe Coding?
Vibe coding is the practice of using AI tools to build software by describing what you want in plain language. Instead of writing code yourself, you type a prompt like “build me a customer booking system with login and payment” and the AI does the heavy lifting.
Tools like Lovable, Replit, Base44, and Bolt have made this incredibly accessible. You can go from idea to live app in a few hours, with no technical background required.
It is easy to see the appeal. You skip the developer queue, cut costs, and move fast. For small businesses and solo operators, it feels like a superpower.
Collins Dictionary even named “vibe coding” its Word of the Year for 2025. That tells you how quickly this has entered the mainstream.
Why Is It So Popular?
There are a few reasons vibe coding has exploded in popularity.
First, it removes the gatekeeping. You no longer need to know how to code, hire a developer, or explain your idea to a technical team. You just describe what you want.
Second, it is fast. What once took weeks can now take hours. For small business owners, operations managers, and general managers trying to solve an internal problem or serve customers better, that speed is genuinely transformative.
Third, the tools are good. Modern AI coding platforms generate apps that look professional and often work exactly as described. The output can be impressive, especially for simple tools, internal dashboards, customer portals, and intake forms.
According to commentary shared by marketing and technology professionals, Gartner has forecast that nearly 80 percent of business users could be building their own applications by 2026. That is an enormous shift in how software gets made. PPC Land
But there is a gap between an app that works and an app that is secure. And right now, that gap is causing serious harm.
The Security Problem Nobody Warned You About
When you ask an AI to build you an app, it focuses on making the app work. It builds the features you asked for. What it often does not do is think about who should and should not have access to your data.
Security controls like authentication, role-based access, and data encryption are not automatically added just because the app functions. If you did not ask for them, there is a good chance they are missing.
Vibe coding tools are allowing users without proper cyber training to unknowingly expose sensitive corporate and personal data at scale. An example of this happened with Axios
Most people building these apps do not realise they have done anything wrong until something goes wrong.
What the Research Reveals
In May 2026, cybersecurity firm RedAccess published research that should concern any business owner who has built or is thinking about building a vibe coded app.
Researchers found about 380,000 publicly accessible applications created with vibe coding tools, and roughly 5,000 of them contained sensitive corporate and private data, including medical records, financial information, and business documents. Security Boulevard
Around 40 percent of the apps exposed sensitive data, including medical information, financial data, corporate presentations, strategy documents, and detailed logs of customer conversations with chatbots. Slashdot
The exposed apps included a hospital’s staff work assignments with doctors’ personal details, a shipping company’s cargo records, a retailer’s full customer service chat logs including names and contact information, and internal financial records from a bank in Brazil.
These were not hacked in the traditional sense. Many of these applications were also indexed by Google and similar search engines, making it possible for just about anyone to stumble upon them. Axios
RedAccess CEO Dor Zvi summed it up bluntly. “The end result is that organisations are actually leaking private data through vibe coding applications. This is one of the biggest events ever where people are exposing corporate or other sensitive information to anyone in the world.” Security Boulevard
The research was covered extensively by WIRED and verified independently by Axios. You can read the original WIRED report here.
Real Incidents That Have Already Happened
This is not a theoretical risk. Businesses and their customers have already been hurt.
The Lovable Data Breach
Lovable is one of the most popular vibe coding platforms. It has faced multiple serious security incidents in a short space of time.
In early 2025, a security researcher discovered that 170 Lovable-created apps allowed anyone to access user data including names, emails, financial records, home addresses, and API keys. The root cause was missing Row Level Security policies on Supabase database tables. The AI generated the database schema but never configured access controls. Superblocks
Then in April 2026, a researcher reported that Lovable had a vulnerability affecting every project created before November 2025. Any free account could access another user’s source code, database credentials, AI chat histories, and customer data. The Register
In February 2026, an update to Lovable’s permission management backend accidentally re-enabled access to chats on public projects. This was initially described as “intentional behaviour” by Lovable, before the company later issued a public apology. Halborn
The pattern here is concerning. Multiple incidents, a slow response, and each time the platform placed much of the responsibility back on the user.
The Tea App and the Class Action Lawsuit
Tea is a dating safety app built for women. The app’s founder openly admitted he does not know how to code and used vibe coding practices to build the platform.
The app was subject to a data leak caused by a legacy unprotected Firebase cloud storage bucket. Approximately 72,000 images were accessed, including around 13,000 selfies and photo identification submitted by users during account verification. Simon Willison
The breach was directly linked to insecure configuration in the AI-generated code. The company, which had more than 6.2 million women users, now faces two class action lawsuits filed in California in response to the breach. NPR
Government-issued IDs, selfies, and location data embedded in image files all ended up exposed. This was not just embarrassing for the business. It created real-world safety risks for the people who trusted the platform.
Why the Platforms Are Not Fully to Blame (and Why That Makes It Worse for You)
When researchers shared their findings with the vibe coding platforms, the responses were not reassuring.
Netlify ignored it completely, while the other platforms deflected blame onto users, saying they should have better secured their work before putting it out into the world. Futurism
Replit’s CEO argued that public apps being accessible is expected behaviour and that users can change privacy settings themselves. Lovable similarly noted that the configuration is ultimately the creator’s responsibility.
On a technical level, they have a point. But these are also the same platforms marketing themselves as tools that let anyone build and launch an app in hours, often with no mention of the security review steps that a professional developer would always perform.
“Anyone from your company at any moment can generate an app, and this is not going through any development cycle or any security check,” Zvi told WIRED. “People can just start using it in production without asking anyone. And they do.” Futurism
If your app goes wrong, the liability sits with your business. Not the platform.
What This Means for Australian Businesses
Under Australian privacy law, including the Privacy Act 1988 and the Australian Privacy Principles, businesses that collect personal information have obligations around how that data is stored and protected. A vibe coded app that leaks customer data could put you in breach of those obligations, regardless of which AI tool built the code.
If you handle health information, financial records, or any form of personal data belonging to Australians, these risks are not abstract. They are your problem to manage.
The Office of the Australian Information Commissioner provides guidance on what businesses are expected to do. Pleading ignorance of how the AI tool worked is unlikely to protect you.
How to Approach Vibe Coding More Safely
If you have already built something, or you are planning to, here are some practical starting points.
- Never connect live customer data to an app that has not been reviewed by a security professional.
- Check whether your app’s privacy settings are set to private, not public.
- Do not share API keys, database credentials, or passwords in AI chat prompts.
- Make sure any app handling personal data has proper login controls and access restrictions.
- Treat your vibe coded app the same way you would any other piece of software that touches your customers.
These steps help, but they are not a substitute for a proper security review. The issues found in the research above were not things most business owners would spot themselves.
Get Your Vibe Coded App Properly Reviewed
At Sentry Cyber, we work with Australian businesses to identify and fix the security gaps that AI tools leave behind. Our security assessments are designed to be practical and clear, not filled with technical jargon that leaves you more confused than when you started.
Whether you have already launched a vibe coded app, you are in the middle of building one, or you are just at the planning stage, we can help you understand the risks and make sure you are covered before something goes wrong.
Get in touch with the Sentry Cyber team today to arrange a security assessment for your AI-built application. It is a straightforward conversation, and it could save you a significant headache down the track.
Conclusion
Vibe coding has genuinely changed what is possible for small businesses. The ability to build tools quickly and affordably is a real advantage. But the security risks are just as real, and recent incidents have shown that the consequences can be serious.
The platforms will not always catch the problems. The responsibility sits with the business that owns the app.
A quick security review now is far cheaper and easier than dealing with a data breach later.
Talk to the Sentry Cyber team about reviewing your vibe coded project today.
10. FAQ
What is vibe coding? Vibe coding is the practice of using AI tools to build software by typing plain-language descriptions of what you want. You describe the app and the AI writes the code, without you needing any technical skills.
Are vibe coded apps actually insecure? They can be. AI tools focus on building what you describe. They do not automatically add security controls like access restrictions, authentication systems, or data encryption unless you specifically ask for them and the platform supports it. Many apps are launched without these protections in place.
What data has actually been exposed through vibe coded apps? Researchers have found exposed medical records, financial data, business strategy documents, customer contact details, chatbot conversation logs, government-issued IDs, and database credentials. These were found in apps built by real businesses using popular AI coding platforms.
Could my business be liable for a vibe coded app data breach? Yes. Under Australian privacy law, businesses are responsible for protecting the personal information they collect and store. A breach caused by insecure AI-generated code does not reduce that responsibility.
What should I do if I have already built and launched a vibe coded app? Start by checking your app’s privacy settings and making sure it is not set to public by default. Do not store live customer data in apps that have not been security reviewed. Contact a cybersecurity professional to assess the app before anything goes wrong.
How can Sentry Cyber help with a vibe coded app? Sentry Cyber offers security assessments designed for businesses of all sizes. We review your app for common vulnerabilities, check your access controls, and give you a clear picture of what needs to be fixed. We work with you in plain English, not technical jargon.