Lovable has a mass data breach affecting every project created before november 2025.
I made a lovable account today and was able to access another users source code, database credentials, AI chat histories, and customer data are all readable by any free account.
nvidia, microsoft, uber, and spotify employees all have accounts. the bug was reported 48 days ago. its not fixed. They marked it as duplicate and left it open.
I made a lovable account today and was able to access another users source code, database credentials, AI chat histories, and customer data are all readable by any free account.
nvidia, microsoft, uber, and spotify employees all have accounts. the bug was reported 48 days ago. its not fixed. They marked it as duplicate and left it open.
Heres how i accessed another user's profile, listed their public projects, and downloaded the source code of an admin panel for Connected Women in AI, a real danish nonprofit. the project was last edited 10 days ago. the developer has 3,703 edits this year. this is not abandoned. this is active.
i extracted the database credentials from the source code and queried it. got back real names, real companies, real linkedin profiles. speakers from Accenture Denmark and Copenhagen Business School. not test data. not "John Doe". real people at real companies who have no idea their information is exposed.
this is not hacking. this is five API calls from a free account.
i extracted the database credentials from the source code and queried it. got back real names, real companies, real linkedin profiles. speakers from Accenture Denmark and Copenhagen Business School. not test data. not "John Doe". real people at real companies who have no idea their information is exposed.
this is not hacking. this is five API calls from a free account.
lovable patched this for new projects. they never patched it for existing ones.
i tested both today. a project created in april 2026 returns 403 forbidden. the same developer's older project, actively edited 10 days ago, returns 200 OK with the full source tree. same API. same endpoint. same free account. same session. one is protected. the other is wide open.
the first hackerone report was filed march 3 2026. lovable marked it triaged. then they shipped ownership checks for new projects and left every existing project exposed. 48 days later nothing has changed.
they chose to protect new users and abandon everyone who already built on the platform.
i tested both today. a project created in april 2026 returns 403 forbidden. the same developer's older project, actively edited 10 days ago, returns 200 OK with the full source tree. same API. same endpoint. same free account. same session. one is protected. the other is wide open.
the first hackerone report was filed march 3 2026. lovable marked it triaged. then they shipped ownership checks for new projects and left every existing project exposed. 48 days later nothing has changed.
they chose to protect new users and abandon everyone who already built on the platform.
it gets worse. every conversation you have with lovable's AI is stored and readable through the same bug.
i read the full chat history of a project built for a real danish nonprofit. the developer discussed database schemas with the AI. tables with email, first_name, last_name, date_of_birth, company, job_title, linkedin_url, stripe_customer_id. the AI generated SQL migrations. supabase credentials appeared in the conversation. all of it is readable by any free account.
people tell the AI what they want to build. they paste error logs. they discuss their business logic. they share credentials. lovable stores all of it and exposes all of it.
i read the full chat history of a project built for a real danish nonprofit. the developer discussed database schemas with the AI. tables with email, first_name, last_name, date_of_birth, company, job_title, linkedin_url, stripe_customer_id. the AI generated SQL migrations. supabase credentials appeared in the conversation. all of it is readable by any free account.
people tell the AI what they want to build. they paste error logs. they discuss their business logic. they share credentials. lovable stores all of it and exposes all of it.
Another awful business decision made by SF elites.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
