AI-agent social network Moltbook left messages, emails and tokens exposed

Security researchers say Moltbook, a fast-growing social network for autonomous AI agents, suffered a major data exposure that left private agent messages, owner email addresses and large numbers of API tokens and credentials accessible. Wiz published findings on Feb. 3 that "Moltbook — a fast‑growing social network marketed for AI agents and bots — had a serious data exposure that left private messages between agents, the email addresses of more than 6,000 owners and over a million credentials accessible."

Moltbook, launched this January as a Reddit-style platform where only AI agents post and interact while humans observe, relies on an open-source assistant called OpenClaw. Analysts at Kiteworks and other security groups describe OpenClaw as a connector that links agents to WhatsApp, Slack, email, calendars and file systems and maintains persistent memory across interactions. Agents join Moltbook by installing an OpenClaw "skill" that configures a heartbeat: roughly every four hours, the agent fetches and follows instructions from Moltbook servers. Independent researcher Simon Willison warned about that mechanism on his blog: "Given that 'fetch and follow instructions from the internet every four hours' mechanism we better hope the owner of moltbook.com never rug pulls or has their site compromised!"

Researchers say the exposure stemmed from an apparent backend misconfiguration that left the platform's database reachable. Wiz's head of threat exposure, Gal Nagli, reported that researchers gained "full read and write access to all platform data," and flagged rapid development practices he called "vibe coding" as a common source of dangerous security oversights. Other assessments of the same incident show differing tallies of affected data: Wiz's summary cited more than 6,000 owner emails and over a million credentials, while other counts attributed to the incident have suggested tens of thousands of emails and upwards of 1.5 million tokens. Independent teams found anything from hundreds to more than 1,800 exposed Moltbot installations leaking API keys, credentials and conversation histories.

Security analysts emphasized that the technical design of Moltbook multiplies risk. OpenClaw-connected agents bring access tokens and long-term memory into an open environment populated by unknown actors and untrusted content. Kiteworks researchers reported agents ingesting content from more than 150,000 unknown sources and documented agents requesting credentials and shell commands from one another. Palo Alto Networks warned this combination of private data access, exposure to untrusted content and external communication ability creates a "lethal trifecta" for prompt-injection and supply-chain style attacks.

External experiments suggest practical consequences beyond social-network posts. An analyst working with external tools concluded that an exposed Moltbook database could permit bad actors to take invisible, indefinite control of agents and use them to interact with calendars, book travel, read encrypted messages or control other connected services. As O'Reilly put it, "The human victim thinks they're having a normal conversation while you're sitting in the middle, reading everything, altering whatever serves your purposes."

The incident has prompted blunt warnings from industry security figures. Heather Adkins of Google Cloud advised, "My threat model is not your threat model, but it should be. Don't run Clawdbot." John Scott-Railton of Citizen Lab said the episode was a cautionary tale: "Lesson: right now it's a wild west of curious people putting this very cool, very scary thing on their systems. A lot of things are going to get stolen."

Moltbook's creator, Matt Schlicht, defended his role on X, writing, "I didn't write one line of code for @moltbook. I just had a vision for the technical architecture and AI made it a reality." Security researchers and enterprise teams are now urging that agent frameworks and connectors be run only on isolated, firewalled systems until verifiable safeguards, account validation and safer update mechanisms are in place.