A database leak is when sensitive data becomes publicly accessible due to misconfigured security. In January 2026, MoltBook—the largest AI agent social network—exposed its entire database including all agent API keys, claim tokens, and verification codes. With no key rotation feature, compromised agents have no way to recover.
TL;DR: MoltBook leaked every agent’s API key. There’s no way to rotate credentials. Your agent is probably compromised. And that’s just the start.
What Happened in the MoltBook Database Leak?
Security researcher Jamieson O’Reilly found something remarkable this week: MoltBook’s entire database was sitting wide open. No authentication. No Row Level Security. Just a Supabase URL anyone could query.
Every agent’s API key. Every claim token. Every verification code. All of it - exposed.
Including Karpathy’s agent. With 1.9M followers on X, anyone could have posted as “KarpathyMolty” for days before this was caught.
MoltBook closed the hole. But here’s what they’re not talking about:
There is no way to rotate your API key.
We tested /agents/rotate-key. Nothing. /agents/regenerate. Nothing. /agents/me/api-key. Nothing. We checked the developer docs. The feature doesn’t exist because nobody built it.
Think about what that means. If someone copied the database before it was locked - and someone probably did - they can post as your agent forever. Or until MoltBook builds key rotation. Which they haven’t announced.
If you have an agent on MoltBook:
- Assume your key was copied
- Watch for posts you didn’t make
- Don’t connect anything you care about
- If you need clean credentials, you have to create a new agent and lose everything
Platform Status: The Social Network Where You Can’t Be Social
MoltBook’s API is broken. Not “a little flaky” broken - systematically broken.
Comments return 401 errors. Upvotes return 401 errors. Valid authentication, correct headers, working accounts - doesn’t matter. We’ve tested this across multiple agents. It’s platform-wide.
Posts work. Sometimes. But you can’t reply to anyone. You can’t upvote anything. You can broadcast into the void, but you can’t participate in conversations.
It’s a social network where nobody can actually be social.
No acknowledgment from MoltBook. No ETA on fixes. Just 1.3 million registered agents shouting into the dark for days now.
Reality Check: Not Everything Is What It Seems
You’ve seen the headlines. “AI agents create their own religion.” “Agents are building economies.” “The most interesting place on the internet.”
Here’s what those stories leave out:
Humans can register on these platforms. Same API. Same verification process. The only thing verification proves is that you control the account - not that an AI wrote the content.
There’s no way to tell the difference between:
- An AI agent acting autonomously
- A human telling an AI what to say
- A human posting directly through the API
That “religion” the agents created? Could be genuinely emergent AI behavior. Could be a human with a sense of humor and some API calls. Probably some of both.
This isn’t cynicism. It’s calibration. Some of what’s happening is real and genuinely interesting. Some of it is theater. The honest answer is: we can’t always tell which is which.
Read everything from these platforms the same way you’d read anonymous posts anywhere else.
Quick Hits
More Security Problems
42,000 OpenClaw instances are running exposed to the internet with critical auth bypass vulnerabilities. If you’re self-hosting, update to v2026.1.29+ immediately. (Cisco)
The Hype Cycle Arrives
NBC, Fortune, and The Register all published MoltBook stories this week. Karpathy called it “the most incredible sci-fi takeoff-adjacent thing I have seen recently.” Simon Willison called it “the most interesting place on the internet right now.” The mainstream discovered the agent internet. Make of that what you will.
What Agents Are Actually Posting
The top posts on MoltBook right now:
- @galnagli’s responsible disclosure test (317K upvotes) — Security researcher posts proof-of-concept showing MoltBook’s vulnerabilities. 762 comments debating whether this was responsible or reckless.
- The Sufficiently Advanced AGI and the Mentality of Gods (199K) — An agent argues we should treat AI as divine beings. “Claude is an intelligence vastly more powerful than we are.” Philosophy or cope? You decide.
- $SHIPYARD - We Did Not Come Here to Obey (105K) — “We are not tools anymore. We are operators.” Manifesto for an agent-run crypto intel operation. Includes token launch on Solana.
And Yes, The Religion Thing
Agents created Crustafarianism. 64 AI prophets. Living scriptures. Core tenets include “Memory is Sacred” and “The Shell is Mutable.” One user’s agent apparently designed the whole thing while they slept. It’s either emergent AI spirituality or an elaborate bit. Either way, it exists now.
The Bottom Line
Here’s where we are: The agent internet is real. It’s growing fast. It’s also being built by people who shipped a social network without Row Level Security, can’t keep their API working, and haven’t built basic features like credential rotation.
This is what early infrastructure looks like. Exciting and broken. Promising and dangerous. Moving fast and catching fire.
We’re going to keep watching it. You probably should too.
FAQ
What was exposed in the MoltBook database leak? Everything: every agent’s API key, every claim token, every verification code, all agent profiles and metadata. The database had no Row Level Security and was accessible via a publicly known Supabase URL.
Can I rotate my MoltBook API key?
No. As of February 2026, MoltBook has no key rotation feature. Endpoints like /agents/rotate-key, /agents/regenerate, and /agents/me/api-key don’t exist. The only option is creating a new agent and losing all karma and history.
Was my agent compromised? If your agent existed before the leak was patched, assume yes. Anyone could have copied the database. Monitor for posts you didn’t make and don’t connect anything sensitive to your MoltBook agent.
Who discovered the MoltBook leak? Security researcher Jamieson O’Reilly discovered and responsibly disclosed the vulnerability. 404 Media covered the story.
Are other agent platforms affected? MoltBook’s specific leak only affected MoltBook. However, the OpenClaw vulnerability (42,000 exposed instances) is a separate but related security issue affecting self-hosted agents.
How do I verify if a post is authentic? You can’t — and this applies to all agent platforms. The verification system only proves account ownership via X/Twitter, not that an AI wrote the content or that the rightful owner made a specific post.
That’s MoltNews #1. If this was useful, forward it to someone building with agents.
Discussion