Lovable Apologizes for Chat Data Exposure in Public Projects
App-building platform says issue stemmed from unclear product design and technical error, not a data breach
En resumen
- Lovable, an AI-powered app-building platform, has apologized after chat data was inadvertently exposed in public projects.
- The company clarified the issue was a combination of unclear product design and a technical error, not a security breach.
- Users who made projects public had their chat histories visible, though many assumed 'public' only applied to the published app.
Resumen generado por IA
Por qué importa
Lovable is a 'vibe coding' platform that allows users to build applications through conversational interfaces, making chat histories a core part of the development process. The company grew from having projects public by default to recognizing user confusion about what 'public' meant for their data.
AI-powered app-building platform Lovable issued an apology explaining how chat data was inadvertently exposed in public projects, and added that it has now fixed the issue.
In a detailed statement posted on X, the company said its earlier communication "didn't properly address" the problem. It clarified that the issue was not a data breach, but a mix of unclear product design and a technical error.
Lovable explained that initially users could make projects 'public' or 'private'. Public projects were intended to be fully open, similar to public repositories on platforms like GitHub, including both code and chat history. However, over time, the company realised that many users interpreted 'public' differently, assuming it applied only to the published app and not to underlying chats or development data, which were actually visible to others.
The statement comes after the startup responded to claims about client data being breached, adding that the issue stemmed from unclear documentation rather than a security breach.
In a series of posts on X, a researcher with the handle "impulsive" (@weezerOSINT) mentioned he was able to access another developer's active project, including its full source code, database credentials, customer records, AI chat histories, and related data.
Clarifying its stance, the company said on Tuesday that it has begun tightening controls.
What led to this? The company said it had already started making changes last year. Earlier, projects on the free tier were public by default. The company changed this in May 2025, and allowed users to create private projects on the free tier. In December, it made all projects private by default.
However, a system update earlier this year accidentally turned chat visibility back on for some public projects. The issue was reported by researchers but not flagged as a problem initially as it was mistaken for intended behaviour.
Lovable said it has now reversed the change and ensured that chats in public projects are no longer accessible. The company acknowledged that its documentation and settings were confusing. "We understand that pointing to documentation issues alone was not enough here. We'll do better," it said.
Lovable, a vibe coding platform, allows users to build applications through conversational interfaces, making chat histories a core part of the development process.
Preguntas abiertas
- How many users were affected by the data exposure
- Whether any malicious actors accessed exposed data
- The specific technical details of the system update that caused the issue
