My Lovable app got hacked, what do I do?

Updated
Short answer

First, don't panic. Rotate your Supabase service-role key + any API keys, force-logout every user, and email anyone whose data may have been accessed. Then get a plain-English scan so you know exactly what's still exposed. Lovable-specific: the #1 cause is a Supabase RLS policy that lets any logged-in user read every row.

Before anything else, take a breath and do these four things in order:

  • **Rotate keys.** In Supabase, click Settings → API → reset the service-role key. In Stripe, roll the secret key. In OpenAI, revoke and regenerate. Anyone who had the old keys is now locked out.
  • **Force-logout everyone.** In Supabase Auth, go to Users and invalidate all sessions. Attackers who logged in with stolen credentials are now logged out.
  • **Check what was accessed.** Supabase logs show every query that ran. Look for bulk reads of user-data tables — that's the sign of data being stolen. In Stripe, check for unexpected refunds, subscription changes, or new accounts.
  • **Email affected users within 72 hours.** GDPR and most state laws require this. One honest email is infinitely better than being caught hiding it later.

**The #1 cause on Lovable** is a Supabase Row-Level-Security (RLS) policy that lets any logged-in user read every row in a table, not just their own. The fix is one SQL migration. When your repo is enabled, Securie will tell you exactly which tables are affected, in plain English. Request access at /scan.

People also ask

What do I do after a data breach at my startup?
In the first hour: confirm the breach, contain it (rotate keys, pull affected services), document. In the first day: not
Is Lovable secure?
Lovable apps are safe to ship with review + scanning. Lovable's own platform has had CVEs (2025-48757, April 2026 re-bre
Will my Lovable app get hacked?
If you shipped a Lovable app without running a security scan, you have roughly a 16% chance of shipping with an exposed