The Debrief
L7L14L30L90All
PaidSearchIndustryTechDataBrandConversion
Tech · 2 min read8 May 2026

Vibe-Coded Apps Are Shipping With Customer Data Exposed. The Security Bill Is Coming.

Security researchers found 380,000 publicly accessible assets from AI-generated apps, with roughly 5,000 containing sensitive data. The speed of vibe coding is real. So is the risk.

The same thing that makes vibe coding fast is what makes it dangerous. Nobody is reviewing the code because reviewing the code defeats the purpose.

2 min read

The vibe coding movement has a security problem. RedAccess, an Israeli cybersecurity firm, scanned publicly accessible applications built with AI coding tools and found 380,000 exposed assets. Roughly 5,000 of those contained sensitive data including API keys, database credentials and customer information sitting in publicly accessible repositories and deployments.

The numbers align with broader research. Studies suggest that 40% to 62% of AI-generated code contains security vulnerabilities. The range depends on the model, the prompting technique and whether any human review happens before deployment. In the vibe coding workflow, that review step is often skipped entirely. The whole point is speed.

5,000

Publicly accessible AI-built apps found containing sensitive data including API keys and customer records

The pattern is predictable. A founder or marketing team uses Cursor, Replit Agent or a similar tool to build a landing page, a form handler or a lightweight app. The AI generates functional code quickly. It ships. Nobody checks whether the environment variables are exposed, whether the database has authentication or whether the API endpoints are rate-limited. The app works, which is not the same thing as saying the app is secure.

For marketing teams specifically, the risk concentrates around form handlers, analytics integrations and payment processing. These are the components most likely to be built quickly with AI tools and most likely to handle sensitive customer data.

Why it matters

The Australian Privacy Act reforms are tightening. The penalties for data breaches are increasing. And the regulatory environment does not care whether your data was exposed by a junior developer or an AI coding assistant. The liability sits with the organisation that collected the data.

Vibe coding is not going away. The productivity gains are too real. But the gap between "it works" and "it is secure" is where the risk lives. Marketing teams building quick tools, microsites and integrations with AI coding assistants need to treat security review as a non-negotiable step, not an optional add-on.

What to do about it

If your team has shipped anything built with AI coding tools in the last six months, run a security audit. Check for exposed environment variables, open database endpoints and unsecured API routes. Tools like Snyk, GitGuardian and even basic penetration testing will catch the obvious gaps. The cost of a security review is a fraction of the cost of a data breach notification under Australian law.

Share this brief
Send it to a colleague who'll find it useful.
LinkedInX
Filip Ivanković
The Debrief / From Filip Ivanković
One every morning. Six months in, you'll see the patterns most don't.
Strategy, benchmarks, and what's actually moving in Australian marketing. Four-minute read. The reps compound.
Filip Ivanković·Founder, New RebellionLinkedIn