A security researcher reverse-engineered Filevine, a billion-dollar legal AI platform, and uncovered a significant vulnerability exposing over 100,000 confidential files. The flaw stemmed from a lack of authentication, which granted full administrative access to sensitive data without any authorization tokens. The researcher stumbled upon this issue while experimenting with a subdomain linked to a demo environment, eventually discovering a misconfigured API endpoint that returned a live admin token to the law firm’s entire Box filesystem. The researcher’s investigation revealed that, had malicious actors exploited this vulnerability, they could have accessed a wealth of sensitive information, including documents protected by HIPAA and court orders. The researcher responsibly reported the issue to Filevine on October 27, 2025. The company acknowledged the severity of the situation, communicated effectively, and confirmed the vulnerability was fixed within weeks. This incident highlights the importance of proper data security practices, especially for companies handling sensitive legal information. Ultimately, this case underscores the risks associated with rapid AI adoption in sensitive sectors. Law firms must ensure the platforms they use are secure, as the potential fallout from such vulnerabilities can be severe for both the firms and their clients.