The rapid rise of AI-assisted app builders has made software development accessible to non-engineers, but a new security crisis suggests the industry is moving too fast to protect user data. A WIRED investigation uncovered thousands of applications built with platforms such as Lovable, Base44, Replit, and Netlify that have exposed sensitive corporate and personal information on the open web, raising urgent questions about whether the vibe-coding movement has prioritized speed over security.

What Exactly Is Vibe Coding, and Why Is It Creating a Security Problem?

Vibe coding refers to a development approach where non-technical founders and small teams use AI-powered platforms to build functional applications by describing what they want in natural language, rather than writing code manually. Base44, which was acquired by Wix in June 2025 for $80 million, exemplifies this trend. The platform grew to 2 million users and $100 million in annual recurring revenue by early 2026, demonstrating how rapidly these tools are being adopted.

The appeal is undeniable. Base44 promises to take users from idea to working application in hours rather than weeks or months. The platform handles database setup, user authentication, hosting, and backend logic automatically, eliminating the need for DevOps expertise or configuration files. For founders validating ideas, this speed is transformative. But that same speed is now creating a dangerous blind spot: security is being treated as an afterthought rather than a foundational requirement.

The WIRED investigation found that thousands of apps built with these platforms have inadvertently exposed sensitive data including corporate credentials, personal information, and API keys on the open web. The problem is not necessarily a flaw in the platforms themselves, but rather a systemic issue where speed without security discipline creates serious risk.

How Are These Apps Exposing Data, and Who Is Responsible?

The security failures documented in the WIRED report reveal a pattern: developers using vibe-coding platforms are shipping applications without conducting basic security audits or implementing standard data protection practices. Common mistakes include hardcoding API keys in frontend code, failing to properly configure database access controls, and deploying applications with default credentials still active.

The responsibility for these breaches is distributed across multiple parties. Platform providers like Base44, Lovable, and Replit have made it easy to build quickly, but they have not made it equally easy to build securely. Many of these platforms lack built-in security guardrails or mandatory security checks before deployment. Developers, meanwhile, often lack the security expertise to recognize vulnerabilities in their own code. And the broader ecosystem, including hosting providers like Netlify, has not implemented sufficient default protections to catch these issues before data goes live.

The result is a growing pool of vulnerable applications serving real users and real businesses, many of which have no idea their data is exposed.

Steps to Secure AI-Built Applications Before Launch

• Conduct a Security Audit: Before deploying any application built with an AI coding platform, perform a manual review of how sensitive data is handled, where credentials are stored, and whether database access controls are properly configured.
• Implement Environment Variables: Never hardcode API keys, database passwords, or other secrets directly into application code. Use environment variables and secure vaults to manage sensitive credentials separately from your codebase.
• Enable Default Encryption: Ensure all data in transit is encrypted using HTTPS and all data at rest is encrypted in your database. Many vibe-coding platforms offer these features, but they must be explicitly enabled.
• Test Access Controls: Verify that users can only access data they are authorized to see. Role-based access control (RBAC) should be configured and tested before launch, not added as an afterthought.
• Monitor for Exposed Secrets: Use automated tools to scan your codebase and deployed applications for accidentally exposed credentials, API keys, or other sensitive information.

The WIRED investigation serves as a warning shot for the vibe-coding movement. AI tools have democratized software development, lowering barriers for non-engineers to build real products. But that democratization has come with a hidden cost: a generation of applications built without the security discipline that traditional software development enforces.

The next phase of AI-assisted development will require stronger guardrails, mandatory security audits, and defaults that protect users before apps go live. Platform providers will need to embed security checks into their workflows, not offer them as optional add-ons. Developers will need better education on common vulnerabilities. And the broader tech ecosystem will need to accept that speed and security are not mutually exclusive; they are interdependent.

Base44's rapid growth to 2 million users and $100 million in annual recurring revenue shows that the market demand for fast app building is real and substantial. But that growth is now shadowed by a critical question: how many of those applications are putting user data at risk? Until the industry addresses the security gap, the promise of democratized development will remain incomplete.