Everyone Is Vibe Coding Their Business Website. Here's What's Getting Exposed.

Everyone Is Vibe Coding Their Business Website. Here's What's Getting Exposed.

The Moment That Woke the Industry Up

January 2026. A startup called Moltbook — a social network built almost entirely using AI tools — had 1.5 million API keys sitting in an exposed database. Not buried deep in some obscure backend. Accessible. Logged by anyone who knew where to look.

A month later, security researchers ran a systematic scan of websites built with Lovable, one of the most popular AI website builders of the past year. They found more than 170 databases with zero row-level security. Customer emails, form submissions, booking records, and in some cases sensitive personal information — sitting there, readable, on businesses that had no idea.

This isn't a hypothetical future risk. This is what happened in the last 90 days.

What Vibe Coding Actually Means

For anyone who hasn't been following the trend: vibe coding is the practice of building websites, apps, and digital products by describing what you want to an AI — Lovable, Bolt.new, Cursor, Claude Code — and having it write the code for you. No traditional development experience required.

The results are genuinely impressive. For prototypes, personal projects, landing pages, and early-stage products, it has changed what's possible for founders and small business owners with limited budgets.

The problem is not the tools. The problem is when real businesses — ones collecting real customer data, processing real transactions, or storing anything sensitive — launch these AI-built products without anyone with security experience ever reviewing them.

What Actually Goes Wrong

The Lovable scan found something specific: no row-level security. In plain English, here is what that means.

Imagine your website has a customer database. Row-level security means each user can only access their own records — their own bookings, their own account history, their own payment info. Without it, the structure is there but the gates are not locked. Someone who understands how to query a database can access records that do not belong to them.

For a service business, that might be intake forms with client names and contact details. For a health-adjacent practice, it gets significantly more serious. For anyone storing payment methods or account credentials, the exposure is direct.

Proofpoint also reported tens of thousands of malicious URLs built with Lovable being used in phishing campaigns in early 2026. The AI-generated sites looked legitimate — professional design, real domains, functional forms — because they were built with the same tools used to build legitimate businesses. That is the other edge of this sword.

The Statistic Worth Sitting With

Security researchers testing AI-generated code have found that 45% of it fails basic security checks. Not sophisticated zero-day attacks. Not advanced persistent threats. Basic checks that any security audit would run first.

That is not a knock on AI tools — they are improving rapidly. It is a reflection of the gap between "this looks like it works" and "this is safe for real-world use."

Who Is Actually at Risk

Not everyone. A simple portfolio site or a landing page that sends form submissions to your email has a small risk surface.

The risk scales directly with what your site does. You should pay close attention if your site:

• Collects personal information through any form
• Has user accounts or login functionality
• Processes bookings, payments, or appointments
• Stores customer history or contact records
• Connects to any third-party API using credentials or keys

If any of those describe your site and it was built primarily through an AI tool without a dedicated security review, it is worth taking a serious look.

The Part Nobody Is Writing About

Here is what the businesses that were not exposed in these incidents have in common: they did not skip the security conversation before launch.

That sounds obvious. But it is a completely different conversation than most web projects have. It is not about whether the site looks right or whether the contact form sends correctly. It is about who can access what, what happens if a credential leaks, how the backup plan works, and whether any part of what you are collecting triggers compliance requirements for your industry.

Those are not complicated questions. They are just not questions AI tools ask automatically — because the tool is building what you describe, not auditing what you haven't thought of yet.

A Quick Self-Audit

Before drawing conclusions either way, run through these honestly:

Who built your site? If it was primarily AI-generated, do you know whether a developer reviewed it before launch?

What does your site collect? Forms, bookings, and user accounts require backend security, not just a clean frontend.

Where does that data go? Is it stored in a database? Do you know which one, and who has access to it?

Are any API keys in your frontend code? AI tools sometimes embed API keys where they are visible to anyone who inspects the page source.

Has your site had any security review since launch? Even a lightweight one?

If you cannot answer most of these, that is the useful information. It tells you where to focus.

The Sitora Take

AI tools are not the enemy. They have made building on the web more accessible than it has ever been, and that is genuinely good for small businesses. But accessibility and security are two separate things — and for a business collecting real data from real customers, both matter.

The businesses that are going to do well in this next phase are not the ones avoiding AI tools. They are the ones who pair those tools with someone who knows where the gaps are and closes them before launch, not after.

👉 Get a security and architecture review or Book a strategy call with Sitora