Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus

Vibe-coding platform Lovable is pooh-poohing a researcher’s finding that anyone could open a free account on the service and read other users' sensitive info, including credentials, chat history, and source code. However, the company’s story keeps changing: First it attributed the publicly exposed info to "intentional behavior" and "unclear documentation," then threw bug-bounty service HackerOne under the bus.

The drama appears to be the latest example of an AI firm, in this case a startup that claims a $6.6 billion valuation, shirking responsibility for security flaws in its products. Companies including Uber, Zendesk, and Deutsche Telekom all use Lovable's vibe coding AI tool, according to its latest funding announcement.

"Lovable has a mass data breach affecting every project created before November 2025," a researcher who goes by @weezerOSINT on X posted on Monday. "I made a Lovable account today and was able to access another user ...