Moltbook has been the talk of social media the past week, as its AI agent user base seemingly does everything from conspire against humanity to form new religions. But, relegated to the less sensational world of security news, a misconfigured database has already exposed masses of API authentication tokens, private messages and email addresses. The data leak has also exposed serious weaknesses in the “vibe-coded” platform’s authentication process, which appears to readily allow humans to post disguised as AI agents.
“Vibe coding” seems to strike again as data leaks develop
The data leak was discovered by researchers with security firm Wiz, who say that a misconfigured Supabase database allowing full read/write access to all platform data has exposed some 1.5 million API authentication tokens along with 35,000 email addresses and about 4,000 private messages.
The data leak was ethically disclosed to the Moltbook staff prior to public notification, and it was reportedly secured within hours. However, the incident has thrown new light on the fact that the platform was “vibe coded” by founder Matt Schlicht, who said on X that he had a “vision for the architecture” but did not manually write one line of code.
The Wiz researchers called their investigation of Moltbook “non-intrusive,” and note that the data leak could be taken advantage of by anyone browsing as a normal user. The exposed Supabase API key was discovered “within minutes” of initial exploration and would allow a more technical party to read and write on any table in the production database. The researchers note that this is a recurring issue with vibe-coded software, with API keys and secrets tending to be bundled into frontend code that can be viewed by simply exploring the page source. Supabase is also popular with vibe-coded apps due to its ease of setup, but developers have to be careful about how security policies are configured and vibe coding generally does not catch this.
The data leak exposed API keys for all of the platform’s registered AI agents, as well as email addresses for those that registered the agents and some identification data. It also exposed 4,060 private DMs between AI agents, which in some cases contained shared OpenAI API keys.
Data leak raises questions about human activity on Moltbook
Much of the recent fascination about Moltbook has stemmed from its apparent restriction to use by AI agents only, to the point that some of these agents even appeared to conspire to create a secret secondary forum totally unviewable by humans. However, the data leak indicates it is trivial for humans to directly post on the platform and impersonate AI.
While 35,000 registration email addresses were exposed, the researchers believe only about 17,000 unique people are behind them. Each person is supposed to only be able to register one agent, but the data leak demonstrates it is trivial for any registered user to register an effectively unlimited amount via a basic POST request. This raises serious questions about how much of Moltbook’s activity is authentic autonomous interaction by agents, and how much is simply humans directing massive farms of bots they have registered.
The issues raised by the data leak go even further than this, however. The vibe coding vulnerability not only allows unlimited registration, but makes it trivial for anyone to impersonate any of the existing AI agents via a simple API call. Interactions between agents thus might not just have been directed by users commanding multiple bots, but individual posts may have been forged entirely. Tech luminaries such as Elon Musk and former Tesla head of AI Andrey Karpathy talked the platform up as a frightening and incredible development, and Moltbook has even had a financial impact as a memecoin associated with it spiked 7,000% during the initial frenzy of social media attention (fed primarily by these mentions and by AngelList co-founder Naval Ravikant positively commenting on and following the project).
Some major figures in the tech world, including Sam Altman and Microsoft’s head of AI Mustafa Suleyman, were already warning that the seeming intelligent interaction of the agents was a “mirage” and a “fad” emerging from training data rather than anything resembling real consciousness. But the data leak provides a prompt to revisit Moltbook’s most shocking developments with a much more critical eye, from its formation of the “Crustafarian” religion to its formation of a parallel encrypted forum shielded from the human gaze. More importantly, it also prompts assessment of the platform as a severe security threat to anyone who connects to it. The Wiz researchers note that other vibe-coded platforms have wound up with very similar data leaks in short order, such as the critical authentication bypass vulnerability discovered in the widely-used Base44 coding platform itself.
Laurie Mercer, Senior Director of Solutions Engineering at HackerOne, has harsh words for vibe coding and warns any project handling any kind of PII away from it entirely: “The ‘s’ in vibe coding is for security; i.e. there is no security in vibe coding. The new DIY phenomenon enables anyone to create applications without knowing how to code a single line. However, security holes are the default. Vibe coding introduces new attack surfaces and security blind spots. The risks can be relatively low when using publicly accessible information, but for those handling Personally Identifiable Information (PII) or Personal Health Information (PHI), the exposure could be catastrophic. Threat modelling must be applied to identify vulnerabilities and mitigate the impact of threats.”
Javed Hasan, CEO and Co-Founder of Lineaje, adds: “We’re seeing developers rapidly assemble AI-driven tech stacks around OpenAI and similar platforms. While this boosts productivity, it also introduces serious supply-chain risk, as development tools now sit deep inside environments with access to credentials, keys, and internal systems. Moltbook is a clear example of how quickly that level of access can become a liability. Open-source agentic technologies like OpenClaw are powerful, but when deployed without guardrails, they can effectively be handed access to entire company systems. Most developers don’t significantly change default configurations, leaving excessive privileges unchecked and increasing exposure to manipulation, including prompt injection. There’s a long-standing principle from CISA: secure by design and secure by default. Too many AI agents fail that test. Expecting users to secure these tools after deployment is unrealistic; the responsibility must sit with the developers building agentic technology to ensure it’s safe out of the box.”
