The startup acknowledged that its documentation around what “public” meant had been unclear.
In a statement posted on X on Monday, the company said it had been “made aware of concerns regarding the visibility of chat messages and code on Lovable projects with public visibility settings.” It added that the issue stemmed from unclear documentation rather than a security breach.
The statement follows disclosures by a researcher posting under the handle “impulsive” (@weezerOSINT), who went public with the issue after reporting it to the company more than six weeks ago.
In a series of posts on X, the researcher said he was able to access another developer’s active project, including its full source code, database credentials, customer records, AI chat histories and related data.
“This is not hacking,” the researcher wrote. “This is five API calls from a free account.”
Lovable issues clarification on data breach
In response, Lovable said chat messages in public projects “used to be visible,” but added that this is “now no longer possible.”
The company drew a distinction between chat history and code, saying the visibility of code in public projects was intentional and consistent with the product’s design. It added that while it had experimented with different ways of surfacing build history, the core behaviour around code access had remained unchanged.
The company also stated that enterprise customers have not been able to set new projects to public since May 25, 2025.
Lovable, founded in 2023, raised $330 million last December at a $6.6 billion valuation, according to a Reuters report.