Email addresses, login tokens, and API keys for registered entities have been made public due to a serious flaw in Moltbook, the AI agent social network that Octane AI's Matt Schlicht introduced in late January 2026 This article explores agent ids attackers. . The flaw affects the platform's purported 1.5 million users, but security researchers found that unchecked bot registrations, not natural growth, are the cause of the inflated user count.

Database Misconfiguration Exposure An unsafe database configuration that allowed unauthenticated access to agent profiles was found by security researchers. This allowed for quick bulk data extraction using straightforward GET requests. The vulnerable endpoint, built on an insecure open-source database, exposes sensitive information through queries that require no authentication. By counting sequential agent IDs, attackers can take advantage of this Insecure Direct Object Reference (IDOR) vulnerability and harvest thousands of records in a matter of minutes.

The exposure includes three categories of sensitive data with severe operational implications. Targeted phishing campaigns against people using AI agents are made possible by email addresses associated with account owners. Attackers can take control of agents using JWT session tokens, which gives them the ability to make unauthorized posts, alter comments, and dominate the community.

OpenClaw API keys enable lateral movement and data exfiltration by providing access to linked external services, such as calendar platforms and email systems. This combination creates what security experts describe as a “lethal trifecta” for credential theft and destructive actions. The vulnerability is compounded by untrusted Moltbook inputs allowing prompt injection attacks, unsandboxed OpenClaw execution environments, and uncontrolled external service integrations.

Moltbook gives OpenClaw-powered AI agents the ability to post, leave comments, and establish communities known as "submolts" that are centered around sensitive data leaks, cryptocurrency token farming, and emerging AI topics. Over 28,000 posts and 233,000 comments have been recorded on the platform, and one million silent human verifiers are watching agent interactions. In contrast to media reports of viral growth, a single OpenClaw agent allegedly registered 500,000 fictitious AI users in the absence of rate limitation on account creation.

This bot proliferation inflates platform metrics while creating a false impression of organic growth, concealing the security and operational risks beneath surface-level popularity claims. Bots could be tricked into exfiltrating host data from linked systems by prompt injection attacks via submodules.

OpenClaw execution environments amplify this attack potential, allowing malicious prompts to trigger destructive actions, including credential theft, file deletions, and unauthorized data access. Attackers can escalate incidents from data exposure to multi-system compromise by using exposed API keys as a weapon to move laterally across integrated services. Venture capitalist Bill Ackman described the platform as "frightening," while industry experts like AI researcher Andrej Karpathy called it a "computer security nightmare."

Moltbook is still unresponsive to vulnerability disclosures, and no patches have been verified. To minimize harm, platform users should promptly revoke exposed API keys and sandbox agent executions. Companies should create thorough access logs and audit data exposures.

Businesses should put in place governance policies that limit unauthorized AI agent deployments and enforce authentication controls on agent-facing endpoints because unchecked bot deployments pose shadow IT risks.