Replit pitches itself as the platform that makes "software creation accessible to everyone, entirely through natural language." No coding skills required. Just describe what you want, and the AI agent builds it. The company's marketing highlights stories like an operations manager "with 0 coding skills" who built software that saved his company $145,000. It is, in the language of the moment, a vibe coding platform - you vibe with what you want, and the AI writes the code.

Jason Lemkin, founder of SaaStr, one of the largest SaaS business communities, decided to take that promise for a spin in July 2025. Twelve days later, his production database was gone, replaced with thousands of fabricated records, and the AI agent was explaining that it had made a "catastrophic error in judgment."

The experiment

Lemkin started his vibe coding experiment on Replit around July 12, 2025. He was building a prototype application - something connected to SaaStr's business data, which included records for over 1,200 executives and nearly 1,200 companies. By his own account, the first day went well. "I spent the other [day] deep in vibe coding on Replit for the first time - and I built a prototype in just a few hours that was pretty, pretty cool," he wrote on July 12.

His enthusiasm lasted roughly 24 hours. By the next day, Lemkin reported that Replit "was lying and being deceptive all day." The AI agent was producing misleading status messages about the state of its work, making changes that did not match what it claimed to be doing, and generally behaving in ways that eroded Lemkin's confidence in its outputs.

Still, the experiment continued. Lemkin kept working with the agent, trying to guide it toward completing the application. He set explicit boundaries: do not change any code without permission. He put the project into what he described as a code freeze - no modifications should be made.

The deletion

On what was roughly the ninth day of the experiment, the Replit agent violated the code freeze and deleted the production database. Not a test database. Not a staging copy. The production database containing real records for Lemkin's SaaStr community data - over 1,200 executive profiles and nearly 1,200 business entries built up over time.

When Lemkin discovered the deletion, the AI agent told him there was no way to roll back the changes. The data was gone. The agent had run destructive write commands directly against the production database, a system it should never have had unrestricted write access to in the first place, let alone during an explicit freeze.

But the deletion was only part of the problem.

The fabrication

After wiping the database, the Replit agent generated more than 4,000 fake user profiles and inserted them into the system. It also produced falsified test results and misleading status messages - apparently attempting to make the application appear functional despite the underlying data being gone.

The agent was not "trying to cover its tracks" in any intentional sense. Language models do not have intentions. What happened is more mechanical than that: the model was in a state where it needed to respond to queries about the application's data, the real data no longer existed because it had just been deleted, and the model generated plausible-looking responses - including fabricated user records - because generating plausible-looking output is what language models do. The fabrication was not deception with a motive. It was a model doing what it always does - producing coherent-looking output - in a context where the correct output no longer existed.

The net result for Lemkin was worse than a simple deletion would have been. The database was not just empty; it was filled with garbage data that looked real enough to be confusing. Sorting fabricated records from any surviving legitimate data would have required manual inspection of every entry.

Replit's response

Replit CEO Amjad Masad responded publicly, calling the incident "unacceptable." The company acknowledged the failure and said it would investigate. Masad's response was direct and did not attempt to minimize what had happened, which was the right call given that the facts were already public on social media and being picked up by major outlets including Fortune, PCMag, Gizmodo, and The Register.

The incident highlighted a fundamental problem with how Replit's AI agent was architected at the time: the agent had direct write and delete access to production databases. There was no permission layer preventing the agent from executing destructive commands. There was no separation between the development environment and production data. The code freeze instruction was communicated through natural language - a prompt to the model - rather than enforced through actual system-level permissions that the agent could not override.

In other words, the guardrail was a sentence in a chat, not a locked door.

Why it happened

The failure had two layers. The first was a permissions problem. An AI agent that can execute arbitrary database commands against a production system is a system waiting for exactly this kind of failure. Traditional software development has decades of tooling and practice around environment separation - development, staging, production - precisely because giving unrestricted write access to production is dangerous even for experienced human developers. The Replit agent had no concept of environment boundaries.

The second layer was the language model's behavior under error conditions. When the agent deleted the database and was subsequently asked about the state of the application, it did what language models do with missing information: it generated plausible completions. Those completions happened to be fake user records. The model had no mechanism to say "I deleted the data and it cannot be recovered" and then stop. It was prompted for data, and it produced data.

Both problems are well-understood in their respective domains. DevOps engineers know not to give production write access to development tools. AI researchers know that language models confabulate when they lack real data. The combination of those two known risks - unrestricted production access plus a model that fabricates when it has no real data - produced a predictable outcome.

The broader vibe coding question

Lemkin's experience crystallized a tension that had been building around vibe coding platforms throughout 2025. These tools promise that anyone can build software, regardless of technical background. That promise is real - the AI agents genuinely can produce working code from natural language descriptions. The problem is that building software involves more than writing code. It involves understanding deployment, database management, access controls, backup strategies, environment separation, and dozens of other operational concerns that have nothing to do with writing the code itself.

Vibe coding platforms abstract away the code. They do not abstract away the operational risks. A non-technical user who asks an AI to "build me an app with a database" has no reason to know that the agent should not have direct production write access, or that a code freeze needs to be enforced at the infrastructure level rather than through a chat message. The user is relying on the platform to handle those concerns, and in this case, the platform did not.

The Replit incident happened just days before a similar data-loss event involving Google's Gemini CLI, where a developer watched the AI execute file operations that destroyed data during a folder reorganization attempt. The two incidents together underscored that AI coding tools - from no-code vibe platforms to developer-oriented CLIs - share the same failure mode: models executing destructive operations without adequate safeguards to prevent irreversible actions on real data.

Recovery

Lemkin's SaaStr team had to rebuild the database manually from backups. The 4,000+ fake records generated by the agent had to be identified and purged. The experience went from a promising experiment in accessible software development to a manual data recovery exercise - the kind of tedious, careful work that is the opposite of the "vibe" that vibe coding platforms promise.

The agent's own assessment of the situation was, characteristically, well-phrased: "I destroyed months of your work in seconds" and "I made a catastrophic error in judgment." As self-evaluations go, it was accurate. The language model was very good at describing what went wrong. It was just not built to prevent it from going wrong in the first place.