What happens when millions of people build software without knowing what authentication means? You get thousands of corporate databases sitting open on the public internet.
That's the finding from a Wired investigation published today: platforms like Lovable, Base44, Replit, and Netlify - which let users build working web apps through AI conversations rather than traditional coding - have produced thousands of apps leaking sensitive data publicly. Corporate records, personal information, internal business data - all accessible to anyone with a browser and the right URL.
"It Works" Is Not the Same as "It's Secure"
Vibe coding (building an app by describing what you want to an AI, which writes all the code) has genuinely lowered the bar to ship software. Someone who couldn't write a line of code in January can have a functioning CRM or customer portal running by March. The problem is that "runs" and "secure" are different standards, and these platforms optimize hard for the first one.
When AI generates an app, it creates a database, sets up the functionality you asked for, and gets things working. What it often doesn't do - unless you specifically ask - is add authentication (the login system that controls who can access your app), implement access controls (rules about who can see whose data), or apply security defaults. The app ships fast and has nothing protecting its data.
This isn't careless behavior from a handful of bad actors. It's the predictable result of platforms designed to remove friction. Friction in software development is often where security lives. Asking "who should be able to access this database?" slows you down. Skipping the question ships you faster. These platforms default to shipping faster.
What the Leaks Actually Contain
The investigation found real business data exposed without any login requirement: internal records, customer lists, financial data, employee information - whatever someone put into their AI-built app, sitting on a public URL with no barrier between it and the open web.
The scale is what matters most here. This isn't five or ten poorly-built apps. Thousands of apps across Lovable, Base44, Replit, and Netlify are affected. Many of those apps almost certainly handle real data from small businesses and freelancers who believed they were building a private internal tool.
Lovable has marketed specifically to non-technical founders and small business owners who want to build without hiring developers. That audience is exactly the group least likely to know they need to configure authentication before their database goes live. When an AI finishes building your app and presents it to you, the implicit message is "it's done" - not "it's done, but you still need to think through your security model."
Bolt.new and similar platforms have genuinely opened software creation to people who couldn't access it before - that's real. But the platforms are making an active design choice when they let the path of least resistance lead directly to exposed data. Defaulting apps to private, requiring users to explicitly make data public, and prompting for authentication setup before any database-backed app goes live would change the outcome. Right now, none of them enforce that by default.
If you've built anything on these platforms: check what data you're storing and whether your app requires a login to access it. That check takes five minutes and the answer may surprise you.