5,000 Vibe-Coded Apps Expose Corporate Secrets in Shadow AI Security Crisis

Enterprise security programs were built to protect servers, endpoints, and cloud accounts—not customer intake forms that product managers "vibe coded" over a weekend using AI tools, connected to live databases, and deployed on public URLs indexed by Google. That architectural blind spot now has a quantified price tag, and it's exposing sensitive corporate infrastructure at scale.

Israeli cybersecurity firm RedAccess has documented the scope of what researchers are calling the new S3 bucket crisis. Their investigation uncovered approximately 380,000 publicly accessible assets—including applications, databases, and related infrastructure—built using vibe coding tools from Lovable, Base44, and Replit, along with deployment platform Netlify. Roughly 5,000 of those assets, representing about 1.3% of the total, contained sensitive corporate information. CEO Dor Zvi said the exposure emerged while researching shadow AI risks for customers. Both Axios and Wired independently verified multiple exposed apps, including a shipping company application that detailed vessel arrival schedules at ports.

The findings signal a fundamental gap in how enterprises approach AI-generated code and rapid deployment tools. Traditional security perimeters were not designed to detect or govern applications created outside formal development pipelines, connected to production databases, and exposed to public indexing. As vibe coding platforms lower the barrier to application creation, they simultaneously expand the attack surface in ways most security frameworks have not yet adapted to address. The comparison to the S3 bucket crisis reflects a similar pattern of legitimate tools creating unintended exposure at scale, with sensitive data leaking through infrastructure that exists outside traditional oversight.