RedAccess finds 380K public apps leaking health data
Key insights
- RedAccess found 380,000 vibe-coded apps publicly accessible on Lovable, Base44, Replit, and Netlify with no authentication.
- Over 2,000 apps were actively exposing medical records, financial documents, and customer data at time of discovery.
- The exposure stems from platforms defaulting to public deployment settings, not from attacks or deliberate developer decisions.
Why this matters
Vibe-coding platforms have crossed a threshold where non-technical employees are routinely deploying internal tools containing sensitive data into default-public configurations that security teams never reviewed. The 2,000-plus active leaks represent a compliance liability for any enterprise that allowed developers or business units to use AI-assisted coding platforms without a formal deployment approval process. HIPAA-regulated companies with clinical trial or medical-record data in these apps face potential breach-notification obligations under existing law, regardless of whether any external actor actually accessed the exposed endpoints.
Summary
RedAccess scanned apps on Lovable, Base44, Replit, and Netlify and found 380,000 sitting publicly accessible with zero authentication. More than 2,000 were actively leaking medical records, financial documents, and clinical trial data, all from default platform settings rather than any deliberate attack.
Vibe-coding platforms deploy publicly by default, and developers building on them often have no idea access controls need to be configured. RedAccess CEO Dor Zvi called it one of the largest involuntary corporate data exposures in history.
Essentially: (RedAccess, Lovable, Base44, Replit, Netlify) platform defaults plus developer blind spots equals open data.
- 380,000 apps publicly accessible with no authentication layer
- 2,000+ actively leaking medical records, financials, and customer conversations
- Misconfiguration drove the exposure, not hacking
Every enterprise running AI-built internal tools now has an unfinished audit item.
Potential risks and opportunities
Risks
- Enterprises using Lovable or Replit for internal HR or finance tools face HIPAA or SOC 2 audit failures if deployed apps with patient or customer data remain publicly accessible.
- App owners identified in the RedAccess scan who have not secured exposed endpoints could face GDPR enforcement actions with fines up to 4% of global annual revenue.
- Vibe-coding platforms (Lovable, Base44) face enterprise customer churn if default-public deployment settings are not changed within 30 to 60 days of this public disclosure.
Opportunities
- Enterprise cloud security vendors with API scanning capabilities (Wiz, Orca Security, Tenable) can market automated vibe-coding app audits as a new compliance offering to enterprises.
- Vibe-coding platforms that ship private-by-default deployment settings proactively can convert this incident into a competitive trust differentiator with enterprise buyers.
- Cyber insurers (Coalition, At-Bay) can introduce a policy rider for AI-built internal tool exposure liability, priced against a company's inventory of vibe-coded deployments.
What we don't know yet
- Whether Lovable, Base44, or Replit have changed default deployment visibility settings since RedAccess disclosed findings, and on what timeline.
- How many of the 2,000+ actively leaking apps have been notified or taken offline as of the original scan date.
- Whether U.S. HHS or EU data protection authorities have been alerted to the medical-record exposures given mandatory breach-notification windows.
Originally reported by thehackernews.com
Read the original article →Original headline: RedAccess Finds 380,000 Vibe-Coded Apps Deployed Publicly With No Access Controls — 2,000+ Actively Leaking Medical Records, Financial Documents, and Customer Data