Thousands of applications built on no-code AI platforms like Lovable, Base44, Replit, and Netlify are leaking sensitive corporate and personal data publicly online.
A security analysis has uncovered widespread data exposure across applications created using AI-powered, no-code development platforms. The affected services enable rapid web app creation with minimal technical expertise, but thousands of resulting applications are broadcasting confidential information to the open internet.
Platforms implicated in the exposure include Lovable, Base44, Replit, and Netlify—all major players in the low-code and no-code development space. These tools democratize app development by allowing users to build functional web applications in seconds using AI assistance.
However, the speed and simplicity come with a critical security cost. Developers using these platforms have inadvertently exposed API keys, authentication tokens, database credentials, and personal user information. In some cases, the exposed data includes corporate secrets and financial records.
The exposure stems from multiple factors: default insecure configurations, developers unfamiliar with security best practices shipping applications without proper credential management, and platforms not enforcing security guardrails by default. Many of the vulnerable apps remain publicly accessible, presenting ongoing risk to affected organizations and individuals.
The issue highlights a growing concern in the rapid-development space. As barriers to entry lower, security knowledge gaps widen. Users without traditional software development backgrounds may lack understanding of fundamental security principles—particularly around credential handling and environment variable management.
No official response or timeline for remediation has been announced from the affected platforms. Security researchers have typically reported findings to the companies involved, but disclosure patterns remain unclear.
The discovery underscores the need for platform-level security defaults and developer education as AI-assisted development becomes more accessible. Organizations using these platforms should audit their deployed applications for exposed credentials and implement proper secret management practices immediately.
Grok CLI experienced a critical bug that caused it to upload entire home directories to Google Cloud Storage. The issue sparked significant discussion in the developer community about data handling practices.
Aylo, Pornhub's parent company, will restore access to the site in the UK through Apple's device-level age verification system in iOS 26.4. The move requires users to complete age verification before accessing the platform.
Australia's eSafety Commissioner has identified significant gaps in how major tech platforms address online sexual extortion. Young men are reporting sextortion at higher rates than any other demographic, with over 2,000 complaints filed in just six months.
Angelo Martino, a ransomware negotiator, was sentenced to 70 months in prison for colluding with attackers to defraud victims. Martino helped orchestrate scams that extracted over $75 million from ransomware victims.