Hot AI startup Lovable recently faced scrutiny over a significant security oversight, highlighting the inherent risks of relying on so-called "vibe coding." An X user identified as Impulsive exposed a vulnerability in Lovable's system that allegedly affected every project created prior to November 2025. The individual claimed that using a free account allowed them to access another user's code, AI chat histories, and customer data. The report noted that prominent employees from companies such as Nvidia, Microsoft, Uber, and Spotify had accounts that could potentially be affected, and the bug reportedly remained unaddressed for 48 days. Lovable initially denied the existence of a data breach, asserting that the visibility of project code was a deliberate feature designed to foster community exploration. However, following public backlash regarding the clarity of their stance, the company issued a second statement acknowledging the issue. Lovable explained that in February, while unifying permissions in their backend, they accidentally re-enabled access to chat histories on public projects. The company stated it immediately reverted this change to ensure all chat data on public projects became private. They also confirmed that as of December, public visibility has been switched off by default across all subscription tiers. Industry experts criticized the incident not necessarily as a traditional hack, but as a severe design flaw resulting from a lack of secure defaults. Tom Van de Wiele, founder of the security firm Hacker Minded, described the event as a failure to threat model for the automated and AI age. He argued that relying on users to distinguish between public and private data is a strategy that inevitably fails. Jake Moore, a global cybersecurity advisor at ESET, added that while this may not be a classic breach, it is far from harmless. Moore noted that when companies focus on semantics regarding whether data was hacked versus accidentally exposed, it indicates that security was not integrated into the product from the start. The situation underscores a broader trade-off in the development of AI coding tools. While companies strive to lower friction for new users, they often struggle to protect against data scraping and exposure. Moore warned that these tools can accelerate bad defaults, making it easier for attackers to access sensitive information without needing to exploit traditional vulnerabilities. He emphasized that users must be explicitly aware of what they are exposing and should maintain fail-safes and backups. This incident follows a string of recent security mishaps in the AI sector. In late March, Anthropic accidentally leaked an archive containing nearly 2,000 files and 500,000 lines of code, though they stated no sensitive customer credentials were involved. Additionally, earlier this week, hosting platform Vercel revealed an incident where unauthorized users gained access to certain internal systems. This breach began with a compromise of Context.ai, a third-party tool used by a Vercel employee, which subsequently led to the takeover of a Google Workspace account. Vercel confirmed they have engaged incident response experts and notified law enforcement. The growing frequency of such errors has prompted cautious warnings from venture capitalists. Anish Acharya, a general partner at Andreessen Horowitz, previously stated that companies should not rely on AI-assisted coding for every aspect of their business due to the significant risks involved. As the industry continues to integrate AI into software development, the Lovable incident serves as a stark reminder that convenience must not come at the expense of fundamental security.