My Lovable app got hacked, what do I do?

Updated
Short answer

First, don't panic. Rotate your Supabase service-role key + any API keys, force-logout every user, and email anyone whose data may have been accessed. Then get a plain-English scan so you know exactly what's still exposed. Lovable-specific: the #1 cause is a Supabase RLS policy that lets any logged-in user read every row.

Before anything else, take a breath and do these four things in order:

  • **Rotate keys.** In Supabase, click Settings → API → reset the service-role key. In Stripe, roll the secret key. In OpenAI, revoke and regenerate. Anyone who had the old keys is now locked out.
  • **Force-logout everyone.** In Supabase Auth, go to Users and invalidate all sessions. Attackers who logged in with stolen credentials are now logged out.
  • **Check what was accessed.** Supabase logs show every query that ran. Look for bulk reads of user-data tables — that's the sign of data being stolen. In Stripe, check for unexpected refunds, subscription changes, or new accounts.
  • **Email affected users within 72 hours.** GDPR and most state laws require this. One honest email is infinitely better than being caught hiding it later.

**The #1 cause on Lovable** is a Supabase Row-Level-Security (RLS) policy that lets any logged-in user read every row in a table, not just their own. The fix is one SQL migration. Securie's free scan (launching this year) will tell you exactly which tables are affected, in plain English. Get on the list now and it runs on your app in week 1.

People also ask

What do I do after a data breach at my startup?
In the first hour: confirm the breach, contain it (rotate keys, pull affected services), document. In the first day: not
Is Lovable secure?
Lovable apps are safe to ship with review + scanning. Lovable's own platform has had CVEs (2025-48757, April 2026 re-bre
Will my Lovable app get hacked?
If you shipped a Lovable app without running a security scan, you have roughly a 16% chance of shipping with an exposed