In February 2026, security firm Wiz discovered a misconfigured database in Moltbook, a social networking site built entirely through vibe coding. The founder stated he "didn't write one line of code." The breach exposed 1.5 million authentication tokens and 35,000 email addresses. All wide open to the internet.
Two weeks later, Italian streamer Grenbaud launched Baudr, another social network built entirely with AI for 40 euros. Within hours, users discovered the admin panel at /admin was accessible to anyone. Thousands of accounts were deleted. Personal data was downloaded. Fraudulent messages were sent from compromised accounts.
Two breaches. Two social networks. Both built without writing a single line of code. Both failed within days of launch.
This is not a coincidence. This is a pattern.
The Numbers Behind the Pattern
These breaches did not happen in isolation. The data has been accumulating:
- Escape.tech scanned 5,600 vibe-coded apps and found 2,000+ vulnerabilities and 400 exposed secrets
- Tenzai tested 15 apps across 5 AI coding tools. Zero had security headers. Zero.
- CodeRabbit found AI co-written code has 2.74x more XSS vulnerabilities than human-only code
- Kaspersky reports 45% of AI-generated code contains security vulnerabilities
- The UK NCSC CEO just warned about vibe coding security at RSA Conference 2026
The scale of the problem is not theoretical anymore. We have breach data. We have vulnerability data. We have government warnings.
Why Vibe-Coded Apps Keep Getting Hacked
The root cause is the same in both breaches: AI generates code that works functionally but is not configured securely.
Moltbook's database had no access controls. Baudr's admin panel had no authentication. In both cases, the AI built what was asked for. A social network. Login. Posts. Messages. It all worked.
What was not asked for: security headers, rate limiting, access controls, input validation, encryption at rest, authentication on admin routes.
AI optimizes for "does it work?" not "is it secure?" And when 63% of vibe coders are non-developers (per platform surveys), they do not know to ask.
The Security Scanner Response
The market has responded faster than any government regulation could. In the span of a single month:
- 11 security scanners have launched specifically for vibe-coded apps
- Lovable added built-in security scanning AND AI pentesting to their platform
- Enterprise vendors like Snyk and Aikido have published vibe coding security guides
- Open-source CLI tools, Chrome extensions, web scanners, and IDE plugins all competing for the same problem
A month ago, there were zero tools for scanning vibe-coded apps. Now there are eleven. That is how fast the market validated this problem.
What You Should Do Right Now
If you have shipped a vibe-coded app without a security review:
- Scan your source code for committed secrets (.env files, hardcoded API keys, database credentials)
- Check your database access controls (Supabase RLS, Firebase security rules, MongoDB auth)
- Test your admin routes (can anyone access /admin, /dashboard, /api/admin?)
- Check security headers (CSP, HSTS, X-Frame-Options, CORS)
- Review authentication on every API route that writes, deletes, or returns sensitive data
Tools like VibeCheck can scan your GitHub repo or live site for free. No signup. Results in seconds.
Or use any of the 11 scanners now available. The point is not which tool. The point is that you scan.
The Pattern Will Continue
Moltbook. Baudr. These are the ones we know about. With 200,000 new vibe-coded projects created on Lovable alone every day, the question is not whether there will be more breaches.
The question is how many are already breached and nobody has noticed.
Data aggregated from Escape.tech, Tenzai, CodeRabbit, Kaspersky, Wiz, McAfee, and independent research.
Top comments (0)