18,000 Users from College Student to Minors Caught in #lovable #vibecoding #vibehacking

18,000 students and their teachers just

had their personal data exposed. Names,

emails, grades, credit balances, all of

it, wide open. Not because of some

sophisticated hack, but because an AI

wrote code with a logic error so basic

that any junior developer would have

caught it in their sleep. Welcome to

Vibe hacking. So, here's what happened.

Last week, The Register published

findings from security researcher Tai

Murk. He'd been probing apps featured on

Lovable, the vibe coding platform that

went from 1 million AR to 100 million in

error in eight months. He found one of

their showcased edtech apps, an exam

questioning platform with over a 100,000

views on Lovable's own discover page,

and it was a disaster. 16

vulnerabilities, six of them critical,

over 18,000 user records, teachers,

students from UC Berkeley, UC Davis, K

to2 schools with minors on the platform

completely exposed. Anyone can view all

their user data, delete accounts, change

credit balances, send bulk emails, and

access grade submissions with no login

required. And here's the kicker. The

core bug, the AI that vibe coded the

Superbase backend, which handles off,

file storage, and database connections.

And I love Superbase, so not criticizing

them here, but the AI implemented

authentication logic that was literally

inverted. It blocked authenticated users

and allowed access to unauthenticated

users. According to the register, the

intent was to block non-admins, but the

AI's implementation blocked all logged

in users instead, and this logic

inversion was repeated across multiple

critical functions. Khan called it out

directly, a classic logic inversion that

a human security reviewer would have

caught in seconds. But the AI code

generator optimizing for code that

works, produced, and deployed it to

production. And this isn't a one-off.

Security firm Escape Tech scanned 1645

lovable built apps from the platform's

discover page and found 170 with

critical data exposure flaws, more than

10%. A separate Veraricode study found

45% of AI generated code contains

security flaws. And Code Rabbit's

December 2025 analysis of 470 real world

GitHub pull requests published in their

state of AI versus human code generation

report found AI generated pull requests

contain 1.7 times more issues overall

with cross-sight scripting

vulnerabilities appearing 2.74 times

more than the rate of human written code

and logic error 75% more frequently. And

so Khan coined a term for this vibe

hacking and I think it's going to stick.

The idea is simple. If vibe coding means

you describe what you want and AI builds

it without you reading the code, then

vibe hacking means you exploit AI

generated code knowing it was never

properly reviewed. You're not looking

for sophisticated zero days. You're

looking for the dumb stuff. Broken

access controls, exposed API keys,

missing authentication because you know

the builder probably never checked.

Think about it. According to a Microsoft

case study, 75% of Replet's enterprise

users aren't even software engineers.

And their CEO says the AI agent has

built over 2 million apps without users

writing a single line of code. Y

Combinator's managing partner Jared

Freriedman told TechCrunch that 25% of

their winning 2025 startups had code

bases that were 95% AI generated. That's

a lot of code that nobody has actually

read. And the damage isn't just to

individual apps. The open source

ecosystem is getting wrecked too. Daniel

Stenberg, the guy who maintains curl,

you know, the command line tool that

basically powers half of the internet,

he shut down his bug bounty program in

January after AI generated submissions

overwhelmed his team. He said about 20%

of reports were AI generated and the

rate of valid vulnerabilities dropped

from roughly 1 in6 to 1 in 20. That's

from his FOST 2026 talk covered by the

new stack. Tailwind CSS tells an even

scarier story. This is Tailwind CSS. I

love Tailwind. I use it everywhere.

Creator Adam Wa revealed in a GitHub

comment in January on a GitHub thread

about making the documentation more

accessible to LLMs that despite Tailwind

being more popular than ever, 75 million

monthly downloads, documentation traffic

fell 40% from early 2023 and revenue

dropped nearly 80%. He had to lay off

three of his four engineers. People are

using the tools, but nobody's reading

the docs. Finally, real bugs are

contributing back. An academic paper

literally titled Vibe Coding Kills Open

Source argues that this creates a death

spiral. Less engagement, less

maintenance, worse offer for everyone.

Okay, so here's why I could just leave

you scared and tell you to subscribe,

but that's not what we do on this

channel. The answer to insecure AI

generated code isn't just stop vibe

coding. That genie is out of the bottle.

There is no going back. The answer is

use AI to audit AI. Have your AI act as

a security auditor. Point it at your

codebase, whether it's a lovable

project, something from cursor, or

whatever, and have it do a structured

security review. This doesn't replace a

human, but it can help cover a lot of

things. make it for the exact types of

vulnerabilities that AI code is most

likely to produce. Broken access

controls like the levelable bug, exposed

API keys and secrets, missing

authentication on endpoints, insecure

data handling, SQL injection and

cross-ite scripting vulnerabilities,

logic errors and permission workflows.

Make it not just flag problems. Have it

explained in plain English and suggest

fixes. Because if you're vibe coding,

you don't want to read a SAS report. You

want someone to tell you what's wrong

and how to fix it. Because here's the

thing, the 8020 problem in bip coding

isn't going away. AI gets you 80% of a

working app in minutes. But that last

20% security, edge cases, production

readiness, that's where things break.

And right now, most people are shipping

the 80% and hoping for the best. Now, to

be clear, this strategy is a starting

point. It's not a full security audit or

a replacement from a person doing the

actual review for you. It's going to

catch the obvious stuff, the exposed

keys, the broken off, the logic and

versions like the lovable buck. For vibe

coder, shipping side projects and MVPs,

it does close a massive gap. But if

you're building something that handles

real user data at scale, you need

professional help. But you can use this

strategy to get from completely unreed

to caught the basics. And that alone

would have prevented this bug that

affected 18,000 users. So here's the

bottom line. There's a difference

between building fast and building

reckless. And right now, the vibe coding

ecosystem is leaning reckless. I'm not

anti- vibe coding. Speed is a feature.

But shipping code nobody's reviewed to

users who trust you with their data.

That's not speed. That's negligence. If

you're building anything that touches

user data, you need a security review in

your workflow. Period. Whether that's an

agent, a manual audit, or something

else, just don't ship what you haven't

checked. We are building agentic

infrastructure at Zorus that handles

exactly this kind of problem. AI agents

that work alongside your development

workflow to catch what humans miss and

what AI introduces. Security review is

just one piece. If that sounds

interesting, check the links below and

hit us up. And if you want to see me

actually vibe hack lovable app to show

you how easy it is, let me know in the

comments. That might be the next video.

Thanks everyone. I'll see you soon.

Cheers.