Lovable Denies Data Breach After User Exposes Security Flaw in AI Coding Platform
Swedish no-code startup Lovable has refuted claims of a mass data breach after an anonymous user alleged that sensitive user information including chat histories, emails, names, and dates of birth was accessible through a security flaw. The incident surfaced on X (formerly Twitter) when the user demonstrated how they could view and download other customers’ project data, including full chat logs and website source code, simply by creating a free account.
The user, who reported the bug 48 days prior, claimed Lovable had marked the issue as a duplicate and left it unresolved. Their post, viewed over 500,000 times by 6 PM BST, included screenshots appearing to confirm the exposure. Lovable responded hours later, denying a breach but acknowledging poor communication about data visibility settings. The company stated that while public project chats were once visible, this functionality had since been disabled though only for enterprise customers as of May 25, 2025.
Founded in 2024, Lovable enables users to build apps and websites without coding, backed by $500 million in funding from investors like Accel, Creandum, and EQT. The incident coincides with the company’s recent partnership with security firm Aikido to offer penetration testing for user-built applications, as well as internal pressure to accelerate product updates amid reports that rival Anthropic is developing a competing tool.
Source: https://sifted.eu/articles/lovable-denies-data-breach/
Lovable cybersecurity rating report: https://www.rankiteo.com/company/lovable-dev
"id": "LOV1776717678",
"linkid": "lovable-dev",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': "Users of Lovable's platform "
'(exact number unknown)',
'industry': 'No-code / AI Development Platform',
'location': 'Sweden',
'name': 'Lovable',
'type': 'Company'}],
'attack_vector': 'Misconfiguration',
'customer_advisories': 'Public statement denying breach but acknowledging '
'data visibility issues',
'data_breach': {'data_exfiltration': 'Possible (user demonstrated download '
'capability)',
'file_types_exposed': ['Chat logs', 'Source code'],
'personally_identifiable_information': 'Yes (emails, names, '
'dates of birth)',
'sensitivity_of_data': 'High (PII and proprietary project '
'data)',
'type_of_data_compromised': ['Chat histories',
'Emails',
'Names',
'Dates of birth',
'Project data',
'Website source code']},
'date_resolved': '2025-05-25',
'description': 'Swedish no-code startup Lovable has refuted claims of a mass '
'data breach after an anonymous user alleged that sensitive '
'user information including chat histories, emails, names, and '
'dates of birth was accessible through a security flaw. The '
'user demonstrated how they could view and download other '
'customers’ project data, including full chat logs and website '
'source code, by creating a free account. The issue was '
'reported 48 days prior but marked as a duplicate and left '
'unresolved.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'public disclosure',
'data_compromised': 'Chat histories, emails, names, dates of '
'birth, project data, website source code, '
'full chat logs',
'identity_theft_risk': 'High (PII exposed)',
'systems_affected': 'Lovable AI coding platform'},
'investigation_status': 'Ongoing (company denies breach but acknowledges '
'misconfiguration)',
'lessons_learned': 'Need for improved bug triage and communication regarding '
'data visibility settings; importance of addressing '
'reported vulnerabilities promptly.',
'motivation': 'Bug reporting / Whistleblowing',
'post_incident_analysis': {'corrective_actions': 'Disabled public project '
'chat visibility for '
'enterprise customers; '
'potential future fixes for '
'all users',
'root_causes': 'Misconfiguration in data '
'visibility settings, delayed '
'response to bug report'},
'recommendations': 'Conduct a full security audit, implement stricter access '
'controls, improve incident response communication, and '
'extend security fixes to all users (not just enterprise).',
'references': [{'source': 'X (formerly Twitter)'}],
'response': {'communication_strategy': 'Public denial of breach, '
'acknowledgment of poor communication',
'containment_measures': 'Disabled public project chat visibility '
'for enterprise customers',
'remediation_measures': 'Addressed misconfiguration for '
'enterprise customers (May 25, 2025)',
'third_party_assistance': 'Aikido (security firm partner)'},
'threat_actor': 'Anonymous user',
'title': 'Lovable Denies Data Breach After User Exposes Security Flaw in AI '
'Coding Platform',
'type': 'Data Exposure',
'vulnerability_exploited': 'Poor data visibility settings'}