AI Makes You 10x Faster. But 10x Times Zero Is Still Zero.
- 13 Apr, 2026
Last month, MyFitnessPal acquired Cal AI, a health app built with what people are calling “vibe coding” — using AI to generate most of the codebase. Seven days after the acquisition, a hacker walked into their open Firebase database and stole 3.2 million health records.
The attack wasn’t sophisticated. The database had no authentication on it. None.
I’ve built multiple projects on Firebase and I’m pretty sure I know exactly how this happened.
The Firebase Trap
Firebase security rules are deceptively tricky. You set up your database, start building, and immediately hit permission errors. Nothing works. Your AI assistant is generating beautiful UI code and clean data models, but every read and write fails against the default security rules.
So you do what every developer under pressure does. You open the rules console and change them to this:
{
"rules": {
".read": true,
".write": true
}
}
Just to get things working. Just for now.
Then “for now” becomes forever.
Maybe you tell yourself you’ll circle back to it. Maybe you never understood the rules well enough to know what you skipped. Either way, you now have a production database that anyone on the internet can read.
The Multiplier Problem
Rick Nucci made a great point in his post about this breach: you can use AI to go 10x faster, but you can’t use it to replace the expert who knows when something is broken.
I’d take it a step further. AI is a multiplier. It amplifies whatever you already are. If you’re a skilled engineer who understands security, authentication, and infrastructure — AI makes you terrifyingly productive. You ship faster, with the same quality bar you always held.
But if you’re a 0.1x engineer? Someone who can prompt an AI into generating a working app but doesn’t understand what “working” actually requires? Then 10x times 0.1 is… 1x. At best. And that’s being generous, because a fast-moving engineer who doesn’t understand security isn’t just unproductive — they’re dangerous.
According to Veracode’s 2025 report, 45% of AI-generated code contains security flaws. And fewer than half of developers review what the AI wrote before committing it. That math alone should terrify anyone building a product that handles user data.
Vibe Coding Isn’t the Problem
I want to be clear — I’m not against AI-assisted development. I use AI tools every day. They’ve genuinely changed how I work. But they changed how I work, not whether I need to understand what I’m building.
The vibe coding movement tells people they can skip the understanding part. Just describe what you want, ship what comes out, iterate on the vibes. And for a prototype or a weekend project, sure. But the moment real users trust you with their health records, their financial data, their personal information — “vibes” aren’t enough.
You need someone who can look at a Firebase security rule and know it’s wrong. Someone who asks “what happens when this gets traffic?” before it gets traffic. Someone who understands that a working demo and a production system are fundamentally different things.
The Due Diligence Question
What really gets me about this story is that someone at MyFitnessPal paid real money for Cal AI. An acquisition means due diligence. Technical review. Security audits.
Did anyone actually look at the Firebase rules? Did anyone run a basic security scan? Or did they see traction numbers, a slick UI, and a growing user base — and assume the engineering was solid because the product looked good?
That’s the final lesson here. AI doesn’t just fool the people building the product. It can fool the people buying it too. A polished interface generated by AI looks identical to one built by a team that actually knows what they’re doing. The difference only shows up when someone checks under the hood.
Or when a hacker does it for you.
Stay Ahead in Product Management!
Ready to elevate your product management game? Join our community of passionate professionals and be the first to receive exclusive insights, tips, and strategies directly in your inbox. Subscribe now to our newsletter and ensure you're always in the loop with the latest product management trends and wisdom bombs!