We have officially hit the peak of the vibe coding era. Thanks to platforms like Lovable, Replit and Claude Code, building software is quick and easy. If your team member needs an internal tool to track inventory or handle a spreadsheet, they can just describe what they want to an AI agent, and a working web application could be deployed within minutes… It feels like magic, but it’s an absolute security nightmare. As a software development agency that spends every day building robust, secure digital infrastructure, we have been watching this trend, and a recent investigation by cybersecurity firm RedAccess on WIRED has just delivered the reality check we’ve been expecting.
Researchers scanned roughly 380,000 publicly accessible web applications built using popular AI coding platforms. They discovered that over 5,000 of these apps were sitting on the open web, completely unauthenticated, exposing highly sensitive corporate data. The sheer scale of this exposure proves why letting your team vibe code without professional governance is an incredible risk to your business.
Working vs safe
The core issue with vibe coding is that AI models are trained to optimise for function over form. If a non-technical manager asks an AI to build a dashboard that pulls data from a company spreadsheet, the AI will deliver exactly that. But what it won’t do is build a robust security architecture unless explicitly instructed to. The report revealed that many of these 5,000 exposed applications had virtually no security features at all. Anyone who managed to stumble upon the URL could view the contents. And even worse, several platforms default to public visibility, meaning these apps are being indexed by Google and Bing, making them searchable to anyone. But, at Wirebox, when we build custom software, the actual interface is just the tip of the iceberg. The majority of the work happens under the bonnet…setting up secure APIs, data encryption and strict permission layers. But vibe coding completely skips this defensive engineering.
Real-world data on the open web
This is not a theoretical security flaw, by the way. The data exposed in this research involved genuine, business-critical information from major organisations. Researchers and journalists verified live applications containing internal financial records for an international bank, active clinical trial data for a UK healthcare company and full unredacted customer service transcripts for a British supplier. Other discovered apps exposed hospital work assignments filled with doctors’ personal information and confidential corporate strategy decks. And this exposure did not happen because hackers deployed complex exploits. It happened because ordinary employees built tools themselves with AI, connected them to live company data and hit publish without realising they were exposing that data to the whole internet.
Compliance time bomb
For businesses operating in regulated sectors or out of the UK & Europe, this shadow AI development is a compliance disaster waiting to happen. If your team builds a quick reporting tool that processes customer information, that tool instantly falls under the scope of data protection laws like GDPR. These regulations require strict access controls, data logging and documented handling procedures. A vibe-coded app running on a public URL with zero authentication fails every single one of these compliance checks. If customers, competitors or auditors find this unmapped, insecure tool pulling live information from your central database, reporting it could result in severe financial penalties and massive reputational damage.
What to do instead
The solution is not to ban AI coding tools entirely. The productivity gains are simply too large to ignore (and trying to block these platforms usually just drives the behaviour further underground). Instead, you need a clear governance framework:
- Establish an inventory of acceptable internal tools – You cannot protect what you don’t know exists. Implement software to monitor network traffic and identify which AI development platforms your employees are accessing. Create a formal registry where team members must log any tool they build using AI and define what platforms they CAN use.
- Set mandatory deployment rules – Never allow an application to connect to live company data without passing basic deployment checks like secure authentication, a corporate VPN and no public search engine indexing. And train your teams on proper data handling so they know what’s acceptable and what isn’t.
- Bring in professional oversight – Next, if a tool built by your team becomes critical to daily business operations, move it into your professional development pipeline with a partner like Wirebox, who can audit these AI prototypes, identify any security gaps and wrap them in enterprise-grade infrastructure so the resulting software is secure, scalable and compliant.
