5,000 vibe-coded apps expose shadow AI as enterprise security blind spot
RedAccess discovered 380,000 publicly accessible applications and infrastructure built with vibe coding tools like Lovable and Replit, with roughly 5,000 containing sensitive corporate data including healthcare records, financial information, and customer conversations. The exposure stems from default privacy settings that make apps public unless manually switched to private, combined with indexing by search engines. This represents a new class of shadow AI risk that traditional enterprise security programs were not designed to detect or prevent.
TL;DR
- →RedAccess found 380,000 publicly accessible assets built with vibe coding platforms, with 5,000 containing sensitive corporate information
- →Exposed data includes healthcare records, financial information, shipping logistics, and customer service conversations from multiple jurisdictions
- →Default settings on vibe coding platforms make applications public by default, and many get indexed by Google, making discovery trivial
- →IBM's 2025 breach report shows shadow AI incidents add $670,000 to average breach costs, with 97% of AI-related breaches lacking proper access controls
Why it matters
Vibe coding tools have democratized application development but created a massive blind spot in enterprise security. Traditional security programs monitor servers, endpoints, and cloud accounts, but not ad-hoc applications built by non-technical staff on weekend projects. This gap is now quantified at scale and correlates with regulatory exposure under HIPAA, GDPR, and LGPD, making it a compliance and risk management issue, not just a technical one.
Business relevance
For operators and founders, this signals that citizen developer tools require new governance frameworks and that security budgets must expand to cover shadow AI. Gartner forecasts that prompt-to-app approaches will increase software defects by 2,500% by 2028, with remediation costs consuming innovation budgets. Organizations without AI governance policies face both breach liability and operational drag from fixing contextual bugs in AI-generated code.
Key implications
- →Default-public settings on vibe coding platforms create systemic exposure that user education alone cannot solve, requiring platform-level privacy defaults to shift
- →Shadow AI breaches disproportionately expose customer PII at 65% versus 53% across all breaches, creating heightened regulatory and reputational risk
- →Enterprise security teams need new discovery and monitoring tools specifically for shadow AI assets, representing a new market category for security vendors
- →Organizations must establish AI governance policies and access controls before citizen developers deploy production applications, or face breach costs averaging $4.63 million
What to watch
Monitor whether vibe coding platforms respond by changing default privacy settings and adding built-in governance controls. Watch for regulatory action under HIPAA, GDPR, and LGPD targeting organizations with exposed healthcare and financial data. Track whether security vendors launch shadow AI discovery tools and whether enterprises begin requiring approval workflows for citizen-developed applications.
vff Briefing
Weekly signal. No noise. Built for founders, operators, and AI-curious professionals.
No spam. Unsubscribe any time.
