Describe an app. It appears. Then it leaks.

In partnership with

In June 2025, a 31-year-old named Maor Shlomo sold his startup to Wix for $80 million in cash. The company was six months old. It had no outside investors, almost no staff, and was — for most of its short life — essentially one person and a chat box.

The product, Base44, did something that still sounds like a magic trick: you describe the app you want in plain English, and it builds it. Front end, database, login, the works. No code, no team, no learning curve. Shlomo had stumbled onto what he called "the holy grail — software that builds software."

This is vibe coding, and in the year since it got its name it has gone from a weekend toy to one of the fastest-growing categories in tech. It is genuinely amazing. It is also quietly leaking a staggering amount of data. This week we look at both halves.

🛠️ So what actually is vibe coding?

The term comes from Andrej Karpathy — OpenAI co-founder, former Tesla AI lead — who posted it on February 2, 2025. His definition was almost a dare: "You fully give in to the vibes, embrace exponentials, and forget that the code even exists."

You don't read the code. You don't really write it. You describe what you want, the AI generates it, you look at the result, and if it's wrong you just ask again. Karpathy meant it for throwaway weekend projects. The internet, predictably, took it straight to production.

The idea caught fire fast enough that Collins named "vibe coding" its 2025 Word of the Year, and Merriam-Webster flagged it as trending by March. The premise is seductive and, honestly, kind of beautiful: the gap between "I have an idea" and "I have a real product" shouldn't require a CS degree or a co-founder. It should require a good description and the right tool.

✨ The genuinely cool part

When it works, the speed is absurd.

Base44 is the poster child. Shlomo built it solo in early 2025. Within three weeks it had 10,000 users; within six months, 350,000 users and about $200,000 a month in revenue — without raising a single dollar. Then Wix bought it. One person, one idea, an eight-figure exit, and a product real people use every day.

It's not a fluke, either. Lovable, another vibe-coding platform, went from $0 to $200 million in annual recurring revenue in twelve months — one of the fastest climbs any software company has ever posted — and raised at a $6.6 billion valuation in December 2025, with eight million users on board.

The thing underneath the hype is real. People who could never have shipped software before are shipping it: internal tools, side businesses, prototypes that turn into companies. That's not nothing. That's the most democratizing thing to happen to building software in a generation.

This is the headline of 2026: the barrier to making software didn't fall. It vanished.

One editor for writers, developers, and agents

Your docs have more contributors than ever. Engineers, PMs, support, marketing, and now AI agents. But most documentation tools force a choice: an accessible editor for the whole team, or the rigor of git-based version control for developers. That tradeoff slows everyone down.

Mintlify's editor removes the tradeoff. Writers get a visual WYSIWYG experience with slash commands and editable navigation. Developers keep their git-native workflow. Every visual edit is a clean commit, every commit appears in the editor. Changes flow both ways.

The editor also brings live collaboration and AI agents as first-class contributors:

• WYSIWYG editing with no markdown syntax required

• Real-time multiplayer for war room-style doc sessions

• MCP support so your AI can edit alongside your team

• Two-way git sync that preserves a single source of truth

The best documentation is written by everyone who has context. That's your whole team. And now, your agents. Try it at mintlify.com.

Score your docs!

⚠️ Now the part nobody screenshots

Here's the catch with "forget the code even exists": the code still exists. And so do the doors it leaves open.

Start with Moltbook, an AI social network that went viral in early 2026. Researchers at the security firm Wiz found a Supabase database key sitting right there in the front-end JavaScript — visible to anyone who opened the page source. Worse, the database had Row-Level Security switched off, so that one key unlocked everything. The result: 1.5 million API keys, 35,000 email addresses, and private messages exposed on the open internet. The whole thing was patched in a frantic few hours — but only after a stranger found it first.

Then there's Lovable — the $6.6 billion one. A researcher found a flaw (a "Broken Object Level Authorization" bug, BOLA for short) that let any free account, created in minutes, read other users' source code, database credentials, and AI chat histories. It was reported through HackerOne on March 3. The report was closed without escalation. The hole stayed open for 48 days. Lovable's first public response was to insist it "did not suffer a data breach" and call the exposed data "intentional behaviour."

And this isn't two unlucky startups. It's the category:

• Israeli security firm RedAccess scanned the internet and found ~380,000 publicly accessible apps built on tools like Lovable, Base44, Replit and Netlify — roughly 5,000 of them leaking sensitive corporate data.

• Georgia Tech's "Vibe Security Radar" logged 35 new CVEs caused by AI-generated code in March 2026 alone, up from 6 in January.

• Multiple studies now put the share of AI-generated code containing security flaws at 40–62%.

The pattern is always the same. The AI builds the feature you asked for. It does not think about the attacker you didn't mention. Authentication, access controls, where the secrets live — the boring, invisible 80% of real software — gets skipped, because you can't see what isn't there.

🛡️ How to vibe-code without leaking your users

The fix isn't to swear off these tools. They're genuinely great. The fix is to remember that generating an app and shipping one safely are two different jobs.

1. Never put a secret in the front end. API keys, database passwords, tokens — if it's in code that ships to the browser, assume the whole world can read it. (This one bug sank Moltbook.) Secrets live on the server, in environment variables, full stop.

2. Turn on the locks your database ships with. For Supabase that means Row-Level Security; every backend has an equivalent. The default is often "wide open," and the AI won't flip the switch for you. Check it yourself before launch.

3. Treat AI code like an intern's first pull request. It's often good. It is never automatically trusted. Read what touches login, payments, and user data — that's where the expensive mistakes hide.

4. Run one free scan before you go live. A secret-scanner and a basic vulnerability check take minutes and catch the exact stuff — exposed keys, missing auth — that made every headline above.

5. Rotate anything that's been exposed, immediately. If a key ever sat in public code, it's burned. Revoke it and issue a new one; don't hope nobody noticed.

The throughline: vibe coding gets you a working app in an afternoon, but the last 5% — the security 5% — is still on you. It's also the cheapest insurance you'll ever buy.

The takeaway

Vibe coding is the real deal. A solo founder built an $80 million company in six months. A platform went zero to $200 million in a year. People who never could build are building. None of that is hype — it actually happened.

But "forget that the code even exists" is a great way to write software and a terrible way to secure it. The tools are brilliant at making the thing work and oblivious to making it safe, and that gap is currently spilling millions of credentials onto the open web.

So build on the vibes — just check the locks before you hand out the address. The app that appears in an afternoon can leak for 48 days. Make sure yours isn't one of them.

Reply and tell us: have you shipped something built with AI? Did you check what it left exposed — or are you about to go look right now? We'll feature the best confessions next week.