Lovable data breach? AI app builder responds to claims
Lovable denies a data breach after public project concerns. Here’s what happened, what “public” means and what developers should fix now.
Sometimes, it is not a hack. It is a misunderstanding. That is what Lovable is saying after concerns surfaced about sensitive data appearing in public projects.
On 20 April 2026, the company clarified that its systems were not compromised, and the issue stemmed from how “public” settings were defined. But the episode has sparked a wider conversation around security in AI-powered development tools.
What actually triggered the concern
The debate began when a security researcher claimed they could access another developer’s project using a few API calls. According to the posts, this included source code, database credentials and even chat histories.
The anxiety was fueled by memories of OpenAI's 2023 incident, where a bug briefly allowed users to see titles and messages from other people's ChatGPT histories.
The claims quickly gained attention across developer communities. For many, it looked like a potential data breach. Lovable disagreed with that interpretation. The company said the behaviour was consistent with its platform design, not a failure of its infrastructure.
Where the confusion started
At the centre of the issue is a simple word. Public. Lovable explained that its documentation had not clearly defined what “public” meant. Users assumed it controlled who could see a project, but in reality, it mainly controlled editing permissions.
Once an app is published, it can be accessed through its URL unless additional restrictions are added. This distinction between editing access and visibility created confusion. The company acknowledged this gap and said it is working on clearer documentation.
What Lovable has changed already
Alongside the clarification, Lovable has introduced immediate changes. Chat messages linked to public projects are no longer visible. This closes one of the more sensitive exposure points highlighted in the discussion.
The company also reiterated that public code visibility is intentional. If a project is set to public, its code is expected to be accessible. For enterprise users, there is an added safeguard. Since May 2025, enterprise accounts have not been able to set new projects to public, reducing risk for larger deployments.
Why this matters for AI development tools
Lovable is part of a new wave of platforms that make app building faster and more accessible. Often described as “vibe coding”, these tools allow users to describe what they want and let AI generate working software. This reduces the need for deep technical expertise.
But it also introduces new risks. When building becomes easier, security decisions are often pushed to the background. Defaults matter more, and unclear settings can lead to unintended exposure. This is not unique to Lovable. It reflects a broader challenge in AI-driven tools where usability and security must evolve together.
What developers should check right now?
For teams using platforms like Lovable, this is a good moment to review configurations. Start with visibility settings. Older projects created during experimentation may still be public without teams realising it. Next, secure live applications. Add authentication layers if the app handles customer data or internal systems.
It is also important to rotate credentials and audit access logs. If any sensitive information was exposed, updating keys and reviewing logs can reduce risk. For regulated environments, additional controls like secrets management and code reviews should be standard practice.
The business behind the headlines
Lovable has grown quickly since its founding in 2023. The Stockholm-based company raised around $330 million in December 2025 at a valuation of about $6.6 billion. Its rapid rise reflects strong demand for tools that simplify software development. CEO Anton Osika has positioned the platform as a way to make production-grade development accessible to more people.