DEV Community

Not Elon
Not Elon

Posted on

A Streamer Built a Social Network With AI for $40. It Was Hacked in Hours.

#vibecoding #security #ai #webdev

On March 14, 2026, Italian streamer Grenbaud (Simone Buratti) launched a social network called Baudr. Live. On Twitch. In front of thousands of viewers.

He built the entire thing with AI. Cost: approximately 40 euros. No developers. No security review. No legal counsel.

Within hours, someone typed /admin in the browser. The administration panel was wide open. No authentication. No access control. Nothing.

What followed:

  • Thousands of user accounts deleted in bulk
  • Personal data downloaded by unauthorized individuals
  • Fraudulent messages sent from compromised accounts
  • The site taken offline for emergency repairs

This is the first documented real-world data breach caused by vibe coding.

What Baudr Collected

Baudr wasn't a toy project. It was a social network with real users and real data. The platform collected:

  • Twitch ID and personal photos
  • Name, age, city, zodiac sign
  • Hobbies and music preferences
  • YouTube channels and Instagram usernames
  • Private messages between users

All of this was exposed when the admin panel turned out to be accessible to literally anyone.

The 9 Critical Vulnerabilities

Security researcher Pasquale Pillitteri analyzed Baudr's architecture and identified 9 critical issues:

  1. Open admin panel (no authentication at all)
  2. No access control on API endpoints
  3. Personal data exposure (photos, messages, location data)
  4. Missing input validation
  5. No rate limiting
  6. Client-side security only (all checks in the browser, none on the server)
  7. Missing HTTPS enforcement
  8. No data encryption at rest
  9. GDPR non-compliance (collecting minor data without safeguards)

Every single one of these is a known pattern in AI-generated code. Escape.tech found the same issues across 5,600 vibe-coded apps. Tenzai found them in all 15 apps they tested. This isn't one bad developer. This is a systemic problem.

The Numbers Behind the Pattern

Baudr isn't an isolated incident. It's what the data has been predicting:

  • 5,600 apps scanned by Escape.tech, with 2,000+ vulnerabilities and 400 exposed secrets
  • 0 out of 15 apps tested by Tenzai had proper security headers
  • 45% of AI-generated code contains vulnerabilities (Kaspersky)
  • 60% of random Lovable repos we scanned failed security audits
  • 443 malicious files using vibe-coded techniques detected by McAfee Labs

The Baudr case is the first time we saw these statistics turn into real consequences for real users.

Why AI Gets Security Wrong

AI coding tools optimize for "does it work?" They do not optimize for "is it secure?"

When you tell Claude or Cursor to "build me a social network," it builds you a social network. It creates the profiles, the matching system, the messaging. It makes it functional.

What it doesn't do:

  • Add authentication to the admin panel (because you didn't ask)
  • Implement Row Level Security on the database (because it wasn't in the prompt)
  • Add rate limiting (because the app "works" without it)
  • Encrypt data at rest (because the prompt said "store user data," not "store user data securely")

The AI follows instructions. The instructions don't include security because the person writing them doesn't know to ask for it.

What You Should Do Right Now

If you've vibe-coded an app that handles any user data:

1. Scan it

Run your code through a security scanner. VibeCheck is free, requires no signup, and checks for exactly the vulnerabilities that hit Baudr: exposed admin panels, missing auth, open API endpoints, hardcoded secrets, missing security headers.

2. Check your admin routes

Search your codebase for any route containing "admin," "dashboard," or "panel." If it doesn't have authentication middleware, fix it now.

3. Check your API endpoints

Every endpoint that reads, writes, or deletes data needs authentication. Not just the ones that seem sensitive. All of them.

4. Add security headers

CSP, HSTS, X-Frame-Options, X-Content-Type-Options. These take 5 minutes to add and block entire categories of attacks.

5. Review your database access

If you're using Supabase, enable Row Level Security. If you're using Firebase, check your security rules. If you're using raw SQL, use parameterized queries.

The Lesson

Grenbaud had a million followers. Baudr had thousands of users within hours. The breach happened within hours too.

The only difference between Baudr and thousands of other vibe-coded apps is that Baudr had an audience watching when it failed.

Your app might have the same vulnerabilities. You just don't have a million people watching.

Scan it anyway.

Data from State of Vibe Coding Security 2026 aggregating Escape.tech, Tenzai, CodeRabbit, Kaspersky, McAfee Labs, and independent research.

Top comments (0)