Lovable Denies Data Breach After User Exposes Chat History Vulnerability
Swedish no-code startup Lovable has refuted claims of a mass data breach after an anonymous user alleged that sensitive user information including chat histories, emails, names, and dates of birth was accessible through a security flaw. The user, who posted on X (formerly Twitter), stated they could view and download other customers' project data, including full chat logs, after creating a free account. The post, which gained over half a million views within hours, also claimed the vulnerability had been reported 48 days prior but remained unresolved, marked as a duplicate issue by the company.
Lovable responded on X, denying a breach but acknowledging poor communication about data visibility settings. The company clarified that while chat messages for public projects were previously accessible, this functionality had been disabled for enterprise customers since May 25, 2025. Screenshots shared by the user appeared to confirm the exposure of sensitive data, including source code and personal details.
Founded in 2024, Lovable enables users to build apps and websites without coding expertise and has raised over $500 million from investors such as Accel, Creandum, and EQT. The incident coincides with the company’s recent partnership with security firm Aikido to offer penetration testing for user-built applications, as well as internal efforts to roll out a product update amid reports that AI rival Anthropic is developing a competing tool.
Source: https://sifted.eu/articles/lovable-denies-data-breach
Lovable cybersecurity rating report: https://www.rankiteo.com/company/lovable-dev
"id": "LOV1776731185",
"linkid": "lovable-dev",
"type": "Vulnerability",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users with public projects',
'industry': 'Technology (No-Code Platform)',
'location': 'Sweden',
'name': 'Lovable',
'type': 'Company'}],
'attack_vector': 'Misconfiguration',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Chat histories',
'Emails',
'Names',
'Dates of birth',
'Source code',
'Personal details']},
'date_resolved': '2025-05-25',
'description': 'Swedish no-code startup Lovable has refuted claims of a mass '
'data breach after an anonymous user alleged that sensitive '
'user information including chat histories, emails, names, and '
'dates of birth was accessible through a security flaw. The '
"user claimed they could view and download other customers' "
'project data, including full chat logs, after creating a free '
'account. The vulnerability had been reported 48 days prior '
'but remained unresolved. Lovable acknowledged poor '
'communication about data visibility settings and clarified '
'that chat messages for public projects were previously '
'accessible but disabled for enterprise customers since May '
'25, 2025.',
'impact': {'brand_reputation_impact': 'Potential negative impact due to '
'public disclosure',
'data_compromised': 'Chat histories, emails, names, dates of '
'birth, source code, personal details',
'identity_theft_risk': 'High'},
'post_incident_analysis': {'corrective_actions': 'Disabled chat message '
'accessibility for '
'enterprise customers',
'root_causes': 'Poor data visibility settings and '
'miscommunication'},
'references': [{'source': 'X (Twitter)'}],
'response': {'communication_strategy': 'Public response on X (Twitter) '
'acknowledging poor communication',
'containment_measures': 'Disabled chat message accessibility for '
'enterprise customers',
'third_party_assistance': 'Aikido (security firm for penetration '
'testing)'},
'title': 'Lovable Denies Data Breach After User Exposes Chat History '
'Vulnerability',
'type': 'Data Exposure',
'vulnerability_exploited': 'Poor data visibility settings'}