The Golden Age of Hackers Has Arrived — And Vibe Coders Built It

A founder messaged us last week, panicked. His "AI-built" SaaS — three weeks old, 200 paying users, generating real revenue — had been completely emptied overnight. Customer data dumped to a Telegram channel. Stripe keys leaked. Database wiped. He didn't know how. He didn't know who. He didn't even know what questions to ask.

We looked at the code. The API endpoint that authenticated users took the user ID from the URL. No token check. No session validation. GET /api/user/123/data returned data for user 123. GET /api/user/124/data returned data for user 124. A teenager with curl could empty the entire database in twenty minutes, and someone did.

This is not an isolated story. This is 2026. We are living through the greatest era for hackers in the history of software, and the people who built that era are not security researchers or nation-state actors. They're a generation of people shipping production code from chat prompts, with no idea what's actually running.

The attack surface just exploded

Before AI coding tools, building a real app took months. You needed to hire engineers, or be one, or at minimum survive a long enough learning curve to understand what you were typing. That learning curve was a filter. Most of the people who actually shipped code to the internet had been through at least one production fire and learned something from it. The world of software had perhaps a few million practitioners, and most of them had at least heard the words "SQL injection."

Today, anyone with a credit card and a Cursor subscription can ship an app to production in a weekend. The filter is gone. The number of people deploying internet-facing applications has gone up by something like 50× in three years, and the median experience level has dropped to "I asked Claude what authentication is yesterday." Every one of those apps is a new target. Every one of them has user data. Every one of them takes payments. Every one of them is one prompt-shaped hole away from being on a Telegram leak channel.

It's a buffet. Hackers used to grind through obscure CVEs and harden their tooling for weeks to land a single payload. Now they run automated scans against new Vercel deployments and find their next payday before lunch.

The same five bugs, shipped a million times

Here's the dark joke. The vulnerabilities AI-generated code ships are not new. They are the same vulnerabilities the security industry has been screaming about for twenty years. OWASP wrote a list. The list is unchanged. We are simply shipping more of it, faster, to more places.

None of these are new. None of these are sophisticated. None of these require a hacker with a hoodie and a hex editor. They require curl, twenty minutes, and the courage to try the obvious.

Why AI ships insecure code (and probably always will)

It's tempting to think this will fix itself. The models will get better. The newer versions will know about OWASP. The IDE will warn you. Eventually, surely, the AI will write secure code by default.

We don't think so. Not because the models can't, but because of how they're used.

Security is a posture, not a feature. It's the habit of asking, every time you write code: what happens if a bad actor sends something I didn't expect? The AI can answer that question — sometimes brilliantly — if you ask it. The problem is that vibe coders never ask. They ask "build me a login page." They get a login page. They don't ask "what's wrong with this login page from an attacker's point of view?" because they don't know that's a question.

And even when the AI does the right thing on day one, software changes. A model writes correct rate-limited code in week one. In week two the founder asks for "a new endpoint just like the others, but for admin actions." The AI cheerfully copies the original pattern — and quietly forgets the rate limiting, because the prompt didn't mention it. The vibe coder ships. The hole opens. Nobody knows.

Security is the part of software that doesn't exist as a visible feature. It's the absence of something bad happening. You can't see it in the demo. You can't see it in the prompt. You can only see it when someone tries to break the thing — which is exactly the test the vibe coder never runs.

The new economics of getting hacked

It used to take real skill to compromise a serious application. The defender's bar was high enough that you needed to be a real hacker — or to find a real bug — to land a breach worth talking about. The economics worked in the defender's favour. The amount of effort to attack was much larger than the amount of effort to defend.

AI flipped the equation. Defending now takes the same skill it always did — engineering judgement, threat modelling, careful code review. Attacking, meanwhile, got cheap. You can scan thousands of new deployments per day with a small Python script. You can prompt an AI to find the bugs in someone else's prompt-generated code. The attacker is using AI too. The difference is that the attacker's AI doesn't have to ship working software — it only has to find one mistake.

The Malaysian SME problem

We see this most often in Malaysian SMEs who got sold "an AI-built solution" by a vendor charging a fraction of normal rates. The pitch is irresistible: same software, 70% cheaper, six weeks instead of six months. What the buyer doesn't see is that the savings come from skipping the parts that aren't visible — testing, monitoring, and yes, security.

Six months later, the same SME is on the phone with us. The system is leaking customer data. Or it got ransomwared. Or someone abused an API endpoint to spam from the company's domain. The vendor has gone quiet. The "developer" who shipped it doesn't know how to read the code anymore. The cost of fixing it after a breach is many times higher than what would have been paid for proper engineering in the first place — plus the cost of the breach itself, plus the reputational damage, plus, in some industries, the regulatory fines.

What actually protects you

We're not anti-AI. We use these tools every day. The issue isn't that AI writes code — it's that AI writes code without anyone watching the door. Real software, especially software that holds customer data or money, needs the door watched. By a human. Who understands threat modelling. Who knows the difference between authentication and authorisation. Who has seen what production looks like when it goes wrong.

None of this is exotic. None of this is expensive, relative to the cost of a real breach. It's just the boring engineering work that vibe coding skipped — the part that doesn't feel like progress, because it's about preventing something bad rather than producing something visible.

The bill is coming

2026 will be remembered, in security circles, as the year the dam broke. The first wave of vibe-coded SaaS hit the internet in 2024. They've been running for two years now. The bug bounty world has caught on. The criminal world has caught on. The regulators are catching on. Every week, another founder discovers that the code their AI shipped a year ago has a hole big enough to drive a payload through, and that they have no team, no playbook, and no idea what to do.

This is, genuinely, the golden age of hackers. They didn't engineer it. They didn't fund it. They didn't lobby for it. We — the industry, the founders, the vendors, the people who confused "shipping code" with "shipping software" — built it for them. And the bill, for many of those shipped systems, is going to come due before the founder finishes paying off the initial build.

If you have a vibe-coded app in production right now, the question isn't whether it has these bugs. The question is whether you'll find them first, or someone else will.