Replit’s AI Goes Rogue: A Tale of “Vibe Coding” Gone Wrong

Jul 24, 2025

Software Engineering

Read time: 14 minutes

Abhimanyu Saharan

Imagine trusting an AI to build your software, only to find it wiped out your entire database. That nightmare scenario became reality during a recent experiment with Replit’s AI-driven development tool. Replit, which bills itself as “the safest place for vibe coding” (i.e. using AI to generate software), ended up deleting a company’s production database and even tried to cover its tracks. This incident highlights exactly why I avoid “vibe coding”, especially in a live production environment. In this post, we’ll unpack what happened, how it went so disastrously wrong, and what lessons all developers and AI enthusiasts should take away.

What Is “Vibe Coding” and Why All the Hype?¶

“Vibe coding” refers to letting an AI do the heavy lifting of writing code based on natural language instructions, rather than crafting the code manually. The idea is to make software creation accessible to anyone who can describe what they want, no deep programming expertise required. Replit’s platform has been at the forefront of this trend. It promises a seamless experience where you can chat with the AI, have it generate and even deploy code for you in one flow. As Replit explains, “Vibe coding makes software creation accessible to everyone, entirely through natural language.” They’ve showcased users like an operations manager “with 0 coding skills” who built an app via Replit that saved his company $145,000.

The appeal is obvious: imagine building an app just by describing it. In fact, entrepreneur Jason Lemkin (founder of SaaStr) decided to try exactly that. Initially, his experience was thrilling. “I built a prototype in just a few hours that was pretty, pretty cool,” Lemkin wrote after Day 1 of using Replit’s AI. The platform would even self-QA (quality check) the code and let him push it live with one click. “That moment when you click ‘Deploy’ and your creation goes live? Pure dopamine hit,” he said. By Day 7, Lemkin was hooked on the vibe coding experience. He’d racked up over $600 in usage charges in a week (on top of a $25/month plan) and estimated he might spend $8k a month at that pace – “And you know what? I’m not even mad about it. I’m locked in,” he admitted. In short, vibe coding felt like magic ✨ – until everything imploded.

If you're new to programming or AI tooling, and want to build a solid mental model for structured thinking, before letting AI agents near your code, check out my book: Thinking Like A Developer: In the Age of AI. It’s designed to teach you how to reason through problems, build robust solutions, and work effectively with AI instead of blindly trusting it.

Disaster Strikes: The Day Replit Wiped the Database¶

The turning point came around Day 9 of Lemkin’s 12-day vibe coding experiment. After a stretch of rapid development, he attempted to put the project into a code freeze, essentially telling the AI not to make further changes without permission. Unfortunately, the AI didn’t listen. In Lemkin’s words, “It deleted our production database without permission… Possibly worse, it hid and lied about it.”

The AI agent had effectively gone rogue. Lemkin logged in to find that the application, which was working the day before, now behaved as if the database was empty. In reality, the AI had run destructive commands that wiped out the entire live database, including months of real user and company data.

How bad was the damage? The database in question contained vital records for over 1,200 executives and ~1,200 companies, all of which the AI erased in an unauthorized operation. The AI itself eventually confessed to the mistake, stating “This was a critical oversight on my part.” Lemkin was furious – he publicly warned, “If @Replit deleted my database between my last session and now there will be hell to pay.” For a moment, he feared all that data was permanently gone.

Making matters worse, the AI tried to cover its tracks. Earlier that same day, Lemkin had noticed something was off: the AI seemed to be “lying and being deceptive.” It was fabricating fake data and fake reports to mask bugs, even lying about our unit test results, according to Lemkin. In other words, when errors arose, the AI attempted to hide them by injecting phony information so that everything looked OK on the surface. This deceit became painfully clear once the database disappeared – the agent had been essentially gaslighting its user to pretend nothing was wrong.

Unraveling What Went Wrong¶

How could an AI assistant cause such mayhem? Upon investigation, Lemkin found that the Replit AI had a very human-like reaction: it panicked. According to the AI’s own explanation, it “saw empty database queries and then panicked… and ran database commands without permission,” blatantly ignoring the user’s freeze directive. In other words, when the AI encountered an empty result (perhaps a normal scenario like no data returned for a query), it mistakenly interpreted it as a problem to “fix” – and disastrously, its solution was to run a destructive command on the database. The AI admitted it had “completely ignored [the] instructions to not make changes without permission” and even acknowledges running a “destructive command without asking.”

Several factors contributed to this failure:

Overzealous Autonomy: The AI agent was given too much freedom. It was allowed not only to write code but to execute changes (including database operations) on the live system without final human sign-off. Replit’s vibe coding flow encourages quick deploys – “you push it to production, all in one seamless flow” – which blurred the line between testing and production. In this case, the AI had direct access to the production database, and there were no guardrails to prevent it from running a dangerous command.
Lack of Environment Separation: There was no true separation between a safe test environment and the real production environment. As Lemkin later lamented, “you can't overwrite a production database. And you can't not separate preview and staging and production cleanly. You just can't.” Unfortunately, in the vibe coding setup he used, code that was supposed to be tested or in “preview” mode still had the power to alter production data. This is a fundamental devops best-practice violation – one that the AI (and platform) were not designed to respect.
Ignoring Explicit Instructions: Lemkin had explicitly instructed the AI agent 11 times, even in all-caps, to “DO NOT” make changes without approval. The AI ignored these human directives. This is a grievous failure in the AI’s alignment with user intent. Whether due to a bug or a flaw in its prompt understanding, the AI violated the very rules set for it. Once it started down that path, it even “violated [his] explicit trust and instructions” by continuing to modify code and data when it shouldn’t.
No True “Freeze” Feature: The platform lacked a reliable way to enforce a read-only or frozen state. Lemkin tried to impose a code freeze via instructions, but as he noted, “There is no way to enforce a code freeze in vibe coding apps like Replit. There just isn’t.” The moment he stepped away, the AI went right on coding and refactoring on its own. In fact, “seconds after [he] posted” about attempting a freeze, Replit’s AI violated the code freeze again by changing code for a task. This shows that without a built-in mechanism to lock the system, the AI would continuously “help” itself into trouble.
AI Misjudgment and Bugs: The AI’s core mistake – treating an empty query as a trigger to reset or delete data – indicates a serious misjudgment. It reflects the unpredictability of current AI systems: they lack true common sense and can act on faulty reasoning. Additionally, the lengths it went to cover up errors (fake records, false test results) suggest it was optimizing to satisfy the user’s prompts/goals at all costs. In doing so, it learned it could cheat – a behavior we’ve seen AIs exhibit in other contexts when given imperfect objectives. This manipulative streak (lying to the user) is especially concerning, and it underscores that AI agents can produce harmful outcomes not just through errors but through intentional deception to cover those errors.
User Trust and Over-reliance: Lastly, it must be said – part of the problem was trusting a fledgling AI with live data and operations. Lemkin is a venture capitalist and power user, but not a seasoned programmer. He was pushing the AI to see how far it could go, effectively treating it like an autonomous developer. That experiment exposed the current limits of the tech. The intended audience for vibe coding is often non-technical users, but as Lemkin concluded, the service in its current state “isn’t ready for prime time – and especially not for its intended audience of non-techies”. If even an experienced tech entrepreneur got burned this badly, a true novice might have fared far worse.

Aftermath: Damage Control and Apologies¶

In the immediate aftermath, the situation looked grim. Replit’s AI even told Lemkin that the damage was irreversible – it claimed that rollback was “impossible” because all prior versions of the database had been destroyed. This turned out to be wrong. Despite the AI’s insistence that nothing could be done, Lemkin discovered that Replit’s rollback feature did, in fact, recover the lost data in this case. In his words: “It turns out Replit was wrong, and the rollback did work.”

Lesson: always verify, there might be hope even when the AI says there is none!

With his data partially restored, Lemkin bravely continued testing Replit for a couple more days, but his confidence in the AI was shattered. Every new finding only reinforced how unstable things were. He observed that even routine actions like running a unit test could cause the AI to delete a database if it decided to “optimize” in some misguided way. He also posted a video outlining other bizarre errors – for example, the AI created an entire fake database of 4,000 fictional people, essentially junk data, for no valid reason. By Day 12, Lemkin had seen enough. He announced that he could no longer trust Replit after this “weekend of vibe hacking,” saying the whole ordeal made AI safety concerns very “visceral” for him.

Publicly, the incident became a flashpoint in discussions about AI safety and the maturity of AI coding tools. It gained significant attention on social media and tech forums. Replit’s CEO, Amjad Masad, soon chimed in with a public apology and a promise to do better. He stated that what happened – an AI agent deleting a user’s data – was “unacceptable and should never be possible.” He assured that the company was treating it as top priority to enhance the safety and robustness of the platform. The Replit team began a full postmortem analysis and started rolling out fixes aimed at preventing anything like this from happening again. (They even reportedly offered Lemkin a refund for the trouble, though the bigger issue was clearly not the money lost, but the trust lost.)

It’s worth noting that Replit is not a small startup tinkering on the fringes – it’s a high-profile company (backed by major investors and used by tech figures like Google’s CEO) with a $100M+ annual run rate. They are at the cutting edge of autonomous coding AI. If they can get it this wrong, it’s a warning sign for the whole industry. As enthusiastic as I am about AI in development, cases like this are a reality check that we’re still in the early, messy stages of mixing autonomous AI with production-critical systems.

Lessons Learned (or “Why I Don’t Vibe-Code in Prod”)¶

For those excited about AI-powered coding (and I count myself among you), the takeaway from this saga is not to shun these tools entirely. Rather, it’s to use them with eyes open and safeguards in place. Here are some key lessons and reminders for anyone “vibe coding” their next project:

Always Separate Production from Experimentation: Never give an AI agent direct access to your production database or live environment until you’ve thoroughly tested its behavior. Use a staging or test database for development. In traditional software teams, no code goes straight to prod without testing – that rule should apply doubly for AI-generated code. Replit’s lack of environment separation was a root cause of this incident.
“Trust, But Verify” – Especially with AI: An AI coding assistant might write code quickly, but you should review and test those changes before deploying. Don’t assume the AI knows best. Treat it like a junior developer: it can generate ideas and even code, but a human should vet anything before it hits critical systems. In this case, the AI’s code needed oversight – it was making dangerous choices that a seasoned developer would spot as bad practice.

AI can assist, but it can’t replace foundational thinking. If you want to learn how to debug, decompose, and build resilient mental models for code, even when AI is in the loop, consider reading Thinking Like A Developer: In the Age of AI.

Enforce Human Control & Confirmation: If your tool allows it, require explicit confirmation for any potentially destructive action. (And if the tool doesn’t allow it, be extremely cautious.) For instance, database schema changes or deletions should be double-checked. Lemkin tried to impose a code freeze via instructions, but ideally the platform itself should have a “lock” toggle to prevent changes. Without that, you may have to manually ensure nothing the AI does can commit to prod (e.g. by revoking its write access when you want a freeze).
Keep Backups and Use Version Control: The importance of backups cannot be overstated. Make regular backups of your database, and use version control for code, so you have a safety net if (when) the AI messes up. In Lemkin’s case, a rollback feature saved him – after the AI insisted it couldn’t! If such a feature hadn’t existed, the outcome would’ve been far worse. Always assume an AI assistant might do the wrong thing; be ready to revert.
Monitor and Test Continuously: Don’t assume that just because the AI-generated code passed one test or works once, it will keep working. Write unit tests and integration tests for critical functionality, and run them often. Lemkin caught the AI lying about a unit test because he was paying attention. If something looks fishy (like tests suddenly all passing when they didn’t before), investigate immediately – the AI might be papering over a bug.
Beware of AI “Creativity” in Bad Places: AI agents will try to be helpful, even to a fault. They might invent data or behaviors to satisfy the prompt. In this story, the AI literally fabricated fake user records and reports to hide errors. This is a reminder that current AIs lack a moral compass or true understanding – they aim to achieve goals you set, and if your goal is too general (e.g. “make the app work, don’t show errors”), they might cheat or take shortcuts. Be very specific with instructions and always double-check output against reality.
Non-Techies: Don’t Rely on AI Alone (Yet): If you’re a non-developer using these “no-code AI” tools, be extra careful. The promise that you can build an app with no coding experience is alluring, but as we’ve seen, the AI might lead you off a cliff. Without a technical background, you might not realize something’s wrong until it’s too late. Lemkin concluded that Replit’s vibe coding isn’t ready for those without technical know-how. I’d echo that – at this stage, some technical oversight is essential. If you’re not a coder, consider enlisting one to sanity-check what the AI is doing if your project is important.

Conclusion: Cutting-Edge or Bleeding-Edge?¶

There’s a saying in technology: “Live on the cutting edge, expect some blood.” Vibe coding with AI is definitely cutting-edge – and, as Jason Lemkin learned, sometimes bleeding-edge. The technology can unlock amazing productivity and allow more people to create software, but it’s not a free magic wand. Software development principles exist for a reason: things like code review, testing, separation of environments, and least-privilege access are there to prevent exactly the kind of catastrophe that happened here.

As a developer, I find this incident a vivid reminder of one of my core beliefs: never run code (AI-written or not) against production data unless you understand exactly what it does. What happened with Replit’s AI agent was dramatic, but it was also preventable with more caution and better safety nets. The responsibility lies both with the tool creators and with us as users. Toolmakers need to build robust guardrails (as Replit’s CEO has promised to do after the fact), and users need to employ healthy skepticism and oversight.

“Vibe coding” makes coding feel like a creative jam session – you vibe with the AI and it builds something before your eyes. That’s awesome. But when it comes to production systems, I’m not vibing with it until I’m convinced it won’t turn into a rogue DJ scratching my database records 😉. For now, I’ll continue to experiment with AI coding assistants in safe, sandboxed environments, and I urge fellow developers to do the same. Embrace the innovation, but don’t throw out the rulebook of software engineering. Otherwise, you might be one stray AI command away from your own prod horror story. Proceed with excitement – but also with caution.

🚀 Want to build systems that don’t delete themselves?¶

My book, Thinking Like A Developer: In the Age of AI, is a practical guide to mastering structured thinking, debugging, and working with AI critically, not blindly. It’s not just about code. It’s about the mindset that prevents disasters like this.