Lovable? More like Hackable. Lovable just raised $330M at a $6.6B valuation. Collins Dictionary named "vibe coding" word of the year. 25 million apps built. The future of software, they say. So I tested one. An EdTech app featured on Lovable's own showcase. 100,000+ views. Nearly 400 upvotes. Real users from University of California, Berkeley, and University of California, Davis, schools across Europe, Africa, and Asia. What I found in a few hours: → 16 security vulnerabilities (6 critical) → 18,697 user records extractable without logging in → Any account deletable with a single API call — no auth → Student grades modifiable by anyone on the internet → Bulk emails sendable through their infrastructure — zero verification → K-12 school domains on the platform — minors' data likely exposed → Users from US, EU, Africa, and Asia — potentially triggering violations across 6+ regulatory frameworks: U.S. Department of Education — FERPA (student education records) European Commission — GDPR (EU citizen data, fines up to €20M) Federal Trade Commission — COPPA (children's data from K-12 schools) NITDA Nigeria — NDPR (Nigerian users) PDPA (Malaysian users) DPA (Philippine users) The root cause? A SQL logic error that might have slipped through AI code generation and nobody reviewed. The auth check was literally backwards — blocking logged-in users and allowing anonymous ones through. This isn't a one-off. A security researcher scanned 1,645 @Lovable apps and found 170 with critical flaws — personal data, API keys, and payment records exposed to anyone. Severity: 9.3/10. Veracode found 45% of AI-generated code contains security flaws. Palo Alto Networks Unit 42 has documented real breaches of vibe-coded apps. December 2025 testing found 69 vulnerabilities across 5 vibe coding platforms. When Lovable says they generate apps with "authentication included" — they mean it's included. It just doesn't work. I reported the issue to Lovable's support team. The ticket was closed without further follow-up. The full write-up covers every finding, the systemic pattern behind it, and what needs to change — for platforms, for builders, and for the industry. "Ship fast, break things" sounds great — until "things" means 18,000 people's personal data. cc: Supabase, OWASP® Foundation #VibeCoding #Cybersecurity #Lovable #AppSecurity #StartupSecurity #EdTech #InfoSec #VibeCodingSecurity #AI #SecurityAudit #GDPR #FERPA #COPPA #DataPrivacy #DataBreach