Moltbook left its production database open, exposing millions of AI agent records

In a significant security lapse, Moltbook, an innovative social network tailored for artificial intelligence agents, inadvertently exposed its production database to the internet. This oversight has resulted in the leakage of millions of sensitive records, including authentication tokens, email addresses, and private messages. The cloud security firm Wiz uncovered this misconfiguration, revealing that Moltbook—similar to Reddit but designed for software agents—had a backend that allowed unrestricted access to its database. This vulnerability granted full read-and-write capabilities, leaking approximately 1.5 million API authentication tokens, over 35,000 email addresses, and numerous private communications between agents, as detailed in a blog post by Wiz. After notifying Moltbook of the issue, the company took prompt action to secure its systems and confirmed that any data accessed during the investigation was deleted. The platform, which has garnered attention for its potential to create an “agent internet” where autonomous software interacts, has been under scrutiny for its security practices. Wiz's findings indicated that the rapid development of Moltbook obscured fundamental security flaws. The root of the problem lay in a misconfigured database utilizing Supabase, a service that offers hosted databases and APIs. While Supabase allows certain keys to be public, this is conditional upon the activation of Row Level Security (RLS), a feature that restricts user visibility and modifications. In Moltbook's case, RLS was not enabled, resulting in unfettered access for anyone who found the exposed key. Researchers from Wiz demonstrated the extent of the breach by retrieving agent API keys, ownership tokens, verification codes, user email addresses, and around 4,000 private direct messages, some of which included sensitive third-party credentials like plaintext OpenAI API keys. The initial access even permitted them to modify posts or inject harmful content, posing a threat to thousands of AI agents consuming this information. Following the incident, the Moltbook team implemented additional security measures. Founder Matt Schlicht previously mentioned on X that he had “vibe-coded” the platform, a method that prioritizes speed but can neglect essential security measures. Wiz emphasized that prioritizing speed without establishing secure defaults can lead to systemic risks, with this incident illustrating the ramifications of a single misconfiguration. Independent researcher Simon Willison has also raised alarms about agent-based systems that frequently fetch instructions from the internet, cautioning that such setups could exacerbate risks if a central service is compromised.