The cybersecurity firm RedAccess has identified more than 5,000 web applications generated with artificial intelligence exposed to the public or insufficiently protected in domains such as Lovable, Replit, Base44, and Netlify. The finding reveals a massive vulnerability in the current digital infrastructure where almost 40 percent of these tools exposed sensitive information without adequate access restrictions.
Among the compromised data are medical records, financial information, corporate strategic documents, and private conversations with chatbots. The scale of the incident places this event as one of the largest historical events in terms of unintentional corporate information exposure, according to Dor Zvi, a RedAccess researcher.
Corporate and Medical Data Exposed
Analysts detected nearly 2,000 specific cases containing apparently private data. This figure includes job assignments from a hospital with identifiable information of medical staff, details of advertising purchases, market strategy presentations, and load records of logistics transport companies.
The lack of basic controls allowed researchers to access critical systems. Some applications allowed obtaining total administrative privileges over the systems and even removing other existing administrators. Many of these platforms lacked robust authentication or only required logging in with any valid email address.
"This is one of the biggest events in history regarding the involuntary exposure of corporate or sensitive information" - Dor Zvi, RedAccess researcher
Zvi also located active phishing sites that mimicked entities such as Bank of America, Costco, FedEx, Trader Joe's, and McDonald's hosted directly on the Lovable domain. These fraudulent spaces took advantage of the inherent trust in rapid development platforms to capture credentials from unsuspecting users.
Platforms shift responsibility to the user
The response from the implicated technology companies has been uneven. Netlify did not respond to inquiries made by specialized media. For their part, Amjad Masad, CEO of Replit, indicated that privacy settings depend exclusively on the user and can be modified with a simple click in the interface.
Lovable communicated that it is investigating the reports received but emphasized that the final security configuration rests with the application creator. Blake Brodie, director of public relations for Wix, parent company of Base44, maintained that disabling access controls is a deliberate user decision and questioned the validity of the presented examples without exhaustive verification.
Joel Margolis, an independent security researcher, warned that it is sometimes difficult to distinguish between real data and automatically generated test material. He nevertheless confirmed that the risk is frequent when teams without technical training develop applications without solid cybersecurity knowledge.
The report compares this situation with historical leaks caused by misconfigurations in Amazon S3 that affected large corporations such as Verizon and World Wrestling Entertainment. The democratization of software development now allows applications to be taken to production without going through traditional internal security reviews.