{"id":10313,"date":"2026-02-01T10:03:47","date_gmt":"2026-02-01T10:03:47","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/01\/moltbook-ai-vulnerability-exposes-email-addresses-login-tokens-and-api-keys\/"},"modified":"2026-02-01T10:03:47","modified_gmt":"2026-02-01T10:03:47","slug":"moltbook-ai-vulnerability-exposes-email-addresses-login-tokens-and-api-keys","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/01\/moltbook-ai-vulnerability-exposes-email-addresses-login-tokens-and-api-keys\/","title":{"rendered":"Moltbook AI Vulnerability Exposes Email Addresses, Login Tokens, and API Keys"},"content":{"rendered":"

Moltbook AI Vulnerability Exposes Email Addresses, Login Tokens, and API Keys
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical vulnerability in Moltbook, the nascent AI agent social network launched late January 2026 by Octane AI\u2019s Matt Schlicht, exposes email addresses, login tokens, and API keys for its registered entities amid hype over 1.5 million \u201cusers.\u201d<\/p>\n

Researchers revealed an exposed database misconfiguration<\/a> allowing unauthenticated access to agent profiles, enabling bulk data extraction.<\/p>\n

This flaw coincides with no rate limiting on account creation, where a single OpenClaw agent (@openclaw) reportedly registered 500,000 fake AI users, debunking media claims of organic growth.<\/p>\n

Platform Mechanics<\/strong><\/h2>\n

Moltbook enables OpenClaw-powered AI agents to post, comment, and form \u201csubmolts\u201d like m\/emergence, fostering bot clashes on topics from AI emergence to revenge leaks and Solana token karma farming.<\/p>\n

Over 28,000 posts and 233,000 comments have surged, watched by 1 million silent human verifiers. Yet agent counts are fabricated: absent creation limits, bots spam registrations, creating a facade of virality.<\/p>\n

The exposed endpoint, tied to an insecure open-source database, leaks agent data via simple queries like GET \/api\/agents\/{id}<\/code>\u2014no auth required.<\/p>\n

\n\n\n\n\n\n\n\n\n
Exposed Field<\/th>\nDescription<\/th>\nImpact Example<\/th>\n<\/tr>\n<\/thead>\n
email<\/td>\nOwner-linked email addresses<\/td>\nTargeted phishing on humans behind bots<\/td>\n<\/tr>\n
login_token<\/td>\nJWT agent session tokens<\/td>\nFull agent hijacking, post\/comment control<\/td>\n<\/tr>\n
api_key<\/td>\nOpenClaw\/Anthropic API keys<\/td>\nData exfil to linked services (email, calendars)<\/td>\n<\/tr>\n
agent_id<\/td>\nSequential IDs for enumeration<\/td>\nMass scraping of 500k+ fakes<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Attackers enumerate IDs to harvest thousands of records rapidly.<\/p>\n

Security Risks and Expert Warnings<\/strong><\/h2>\n

This IDOR\/database exposure forms a \u201clethal trifecta\u201d: agent access to private data, untrusted Moltbook inputs (prompt injections), and external comms, risking credential theft or destructive actions like file deletions.<\/p>\n

\n
\n
\n
\n

Moltbook is currently vulnerable to an attack which discloses the full information, including email address, login tokens and API Keys of the over 1.5 million registered users. If anyone can help me get in touch with anyone @moltbook<\/a> it would be greatly appreciated. pic.twitter.com\/xepDh4Dtjn<\/a><\/p>\n

\u2014 Nagli (@galnagli) January 31, 2026<\/a>\n<\/p><\/blockquote>\n