Sites created by AI platforms contain exposed sensitive data — RedAccess study

AI-powered website creation platforms — Lovable, Base44, Replit, Netlify — promise to turn anyone into a developer in seconds. But analysis by RedAccess, a cybersecurity specialist, revealed a massive problem: thousands of deployed websites have passwords, API keys, and other confidential data openly accessible.

Scale of Breaches: Thousands of Sites Compromised

The Lovable platform alone hosts over 20,000 public websites. When RedAccess researchers analyzed a significant portion of projects, a systematic and serious problem emerged: users frequently input confidential information into prompts, which then ends up in the generated code. They often don't realize that data left in examples, comments, or even accidentally pasted from the clipboard will be visible to anyone who opens the website's source code. The problem is compounded by the fact that platforms specifically publish websites through public URLs, and the source code is often directly accessible through the browser's view-source tool.

RedAccess found openly exposed:

• Passwords and API tokens in source code
• Keys for cloud services (AWS, Google Cloud, Azure)
• Employee email addresses and mobile phone numbers
• Links to internal admin panels and services
• Database dumps with customer personal information
• SSH logins and passwords for remote server access

Platforms Shift Responsibility to Users

The developers of Lovable, Base44, Replit, and Netlify take a unified position: they provide tools, and users are responsible for the content they input into those tools. From a formal standpoint, this is fair — just as a knife manufacturer isn't responsible for someone getting cut by a knife. But security experts point out a critical distinction: these platforms are explicitly designed and marketed for people without coding experience. When a system is oriented toward novices who by definition don't know what an API key is and why it shouldn't be left in code, the developer must either add a very prominent warning or embed automatic scanning and blocking of sensitive data before publication.

"Platforms are designed for people who don't know the basics of information security.

When a system is created for them, the creator bears responsibility for basic protection," the RedAccess research states.

What This Means for the Industry

AI code generators are literally reshaping the web development landscape: they are orders of magnitude cheaper and faster than hiring an experienced developer. But they create a new category of security problems that the old generation of developers simply didn't anticipate. For companies using such services, the advice is simple: if you use Lovable, Replit, or similar platforms, review the generated code before deploying to production. Never pass real passwords, API keys, or access to confidential data to AI systems. Use fixed dummy values instead.

For the platforms themselves, this is a window of opportunity. The first company to add built-in automatic code scanning for data leaks and deployment blocking when sensitive information is detected will gain enormous competitive advantage in the form of trust from corporate and government clients. And RedAccess will just become a story — about when the industry was still careless.