As more apps are developed with AI coding tools, cases are also increasing in which internal corporate information is exposed on the internet.

Axios reported on May 7 that Israeli cybersecurity company RedAccess said about 380,000 apps built using the tools Lovable, Base44, Replit and Netlify were accessible to anyone on the internet. It said about 5,000 of them contained sensitive corporate data.

Exposed apps that Axios verified included a shipping company app containing information on vessels scheduled to enter port, an internal app of a healthcare company containing the status of clinical trials across Britain, customer service chat transcripts from a British furniture company, and internal financial information from a Brazilian bank.

The exposed data also included patient conversations at a children's long-term care facility, incident response information at a security company, hospital doctor-patient conversation summaries, patient complaints, staff schedules, school class recordings, student information and teacher schedules.

Researchers said the default privacy settings of some vibe coding tools are set to make apps public, and anyone can access them unless users change the setting manually. They are also indexed by search engines such as Google.

Dor Zvi (도르 즈비), CEO of RedAccess, said, "There is no limit to how easily people can make something like this and use it in a production environment without company permission." He said, "It is realistically impossible to educate people around the world about security."

In response, Replit CEO Amjad Masad (아므자드 마사드) countered that it is normal for public apps to be accessible on the internet. A spokesperson for Wix, which owns Base44, said RedAccess intentionally did not disclose the URLs needed to verify the problematic apps. Lovable said it had begun investigating and removing phishing sites. RedAccess said it also found phishing sites impersonating Bank of America, FedEx, Trader Joe's and McDonald's that were built with Lovable.