“We did not suffer a data breach,” said vibe coding unicorn Lovable. 

Then it admitted it had “accidentally” made all chats public – exposing API keys and any other credentials developers may have pasted in chat.

A security researcher going by @weezerOSINT on X said they could access the source code, database credentials, AI chat histories, and customer data of multiple other customers just by spinning up a free Lovable account.

"people tell the AI what they want to build. they paste error logs. they discuss their business logic. they share credentials. lovable stores all of it and exposes all of it." – @weezerOSINT

Extraordinarily, Lovable said for a long time this was default and intentional behavior: projects AND chats were meant to be public; it stopped this being the case in December but then inadvertently re-enabled it in February. 

Lovable data breach was a whoopsy

Lovable, a Sweden-based startup backed by Google, NVIDIA, Salesforce and others, lets users create applications and websites using natural language. 

It says over 200 million users a month visit its website.

That risk of massive data exposure was, for a long time, intentional.

Lovable said until May 2025 projects marked “public” also publicly exposed chats as well as code – and its systems were designed for this to be the case.

“When you create a project on GitHub, you can make it private or public. Lovable worked the same. Users had a ‘Public’ or ‘Private’ option right in the chatbox. A public project meant the entire project was public, both chat and code. ‘Just like a public project on GitHub,’ we thought,” it said on Monday.

"This was confusing..."

“Over time, we realized this was confusing. Many users thought "public" just meant others could see their published app, not the chat of an unpublished project. That's reasonable,” Lovable said. It started changing settings in May and by December 2025 had made projects and chats both private by default.

But in February “while unifying permissions in our backend, we accidentally re-enabled access to chats on public projects,” the company (valued at over $6 billion) said on X late on Monday in an extraordinary admission. 

And even when it made the fix, it only did so for new projects.

"They never patched it for existing ones," @weezerOSINT said.

"i tested both today. a project created in april 2026 returns 403 forbidden. the same developer's older project, actively edited 10 days ago, returns 200 OK with the full source tree. same API. same endpoint. same free account. same session. one is protected. the other is wide open. The first hackerone report was filed march 3 2026. lovable marked it triaged. then they shipped ownership checks for new projects and left every existing project exposed. 48 days later nothing has changed."

When this was reported via the HackerOne bug bounty programme, the “reports were closed without escalation because our HackerOne partners thought that seeing public projects’ chats was the intended behaviour,” Lovable admitted – saying separately and rather unconvincingly that "Security is not an afterthought at Lovable. It's a company-wide commitment backed by a dedicated team and continuous investment."

And as recently as days ago security researchers trying to report it again saw the bug disclosure marked as “duplicate” and closed without any action. 

Upon being pointed very publicly to the fact that it was spewing chats that users thought were private out into the open for any other user to read and steal credentials or other data from, Lovable said it “immediately reverted the change to make all public projects’ chats private again.

"We appreciate the researchers who uncovered this. We understand that pointing to documentation issues alone was not enough here. We’ll do better…”

"Our SOC 2 Type II was independently audited by Prescient Assurance," it added. We’re currently undergoing an independent internal audit of our ISMS, recertifying ISO 27001, and have our next SOC 2 Type II scheduled for Q3 2026."

The link has been copied!