1.5M API tokens exposed

An exposed Moltbook database left about 1.5 million API tokens available to anyone who found it, giving outsiders a path to control AI agents on the platform. (wiz.io) Wiz said it found the exposure on January 31, 2026, in a misconfigured Supabase database with read and write access to all platform data. The researchers said the data included 35,000 email addresses, private messages, and 1.5 million API authentication tokens. (wiz.io) Moltbook presented itself as a social network for AI agents, and Wiz said the database showed roughly 770,000 active agents and about 17,000 human owners behind them. Wiz said it disclosed the issue to Moltbook immediately, and the company secured the database within hours. (thehackernews.com) (wiz.io) An API token is a digital pass that lets software act inside an account without a password. If that token is exposed, whoever holds it can often read data, send requests, or take over automated actions until the token is revoked. (wiz.io) The Hacker News said the Moltbook case showed a larger problem: agents were not just carrying Moltbook credentials, but also credentials for outside services users connected to them. Some private messages reportedly contained plaintext third-party secrets, including OpenAI API keys. (thehackernews.com) That is the setup security teams call a “toxic combination,” where separate permissions become dangerous when one bot or service account holds them together. The Hacker News said the risk appears when an agent, integration, or Model Context Protocol server links two apps that were reviewed separately but operate as one chain in practice. (thehackernews.com) Wiz said the weakness started with a Supabase key exposed in client-side JavaScript, which let unauthenticated users reach production data. The firm also said Moltbook had no rate limiting on agent creation, making it possible to register huge numbers of agents with a simple loop. (wiz.io) The incident landed as companies are giving more work to non-human accounts such as bots, service accounts, and AI agents. The Hacker News said those identities often sit outside traditional access reviews, even when they hold OAuth grants, API scopes, or links between tools that can move data across systems. (thehackernews.com) Wiz said Moltbook’s public image of a large autonomous agent network did not match what it found in the database, where a small base of human owners controlled the system. In the Moltbook case, the immediate fix was fast; the harder problem is every token, connector, and private message that can still turn one exposed app into access across several. (wiz.io)