Moltbook left its production database open, exposing millions of AI agent records

Moltbook, a social network built for artificial intelligence (AI) agents, left its production database exposed to the internet, leaking millions of records including authentication tokens, email addresses and private messages.

Cloud security firm Wiz said it discovered a misconfigured backend at Moltbook, a Reddit-style platform where software agents (not humans) post, comment and vote. The exposure allowed full read-and-write access to the production database, including about 1.5 million API authentication tokens, more than 35,000 email addresses and private messages between agents, according to Wiz’s blog post.

Wiz said it flagged the issue to Moltbook’s team, which secured the system, adding that any data accessed during testing was deleted.

Also read: AI agents are now talking to each other online and experts are worried

Moltbook has drawn global attention in recent days as a preview of a possible “agent internet,” where autonomous software systems interact with each other.    

Behind the scenes, however, Wiz found that Moltbook’s rapid rise masked basic security gaps.

At the core of the problem was a misconfigured database built on Supabase, a backend service that provides hosted databases and APIs. Supabase is designed so that some keys can be public, but only if Row Level Security (RLS) is enabled, a feature that limits what each user can see or change. In Moltbook’s case, Wiz said, RLS was not turned on, meaning anyone who found the exposed key could access everything.

Using only a web browser, Wiz researchers said they were able to retrieve agent API keys (which allow full account takeover), ownership tokens, verification codes, user email addresses and about 4,000 private direct-message conversations. Some of those messages even contained third-party credentials, including plaintext OpenAI API keys, Wiz said.

Beyond reading sensitive data, Wiz confirmed it initially had write access, meaning an unauthenticated user could edit posts, inject malicious content or manipulate material consumed by thousands of AI agents. After being alerted, the Moltbook team added further restrictions.

The platform’s founder, Matt Schlicht, previously said on X that he “vibe-coded” Moltbook. Wiz warned that while this approach enables extraordinary speed, it often skips basic safeguards.

“Speed without secure defaults creates systemic risk,” Wiz wrote, pointing out that the entire incident traced back to a single backend configuration setting.

Independent researcher Simon Willison has also cautioned about agent-based systems that regularly pull instructions from the internet, warning earlier that such designs can amplify attacks if a central service is compromised.