Three days. That is how long it took for Moltbook, the viral "social network for AI agents," to become one of the most instructive security failures in the short history of agentic AI.
Wiz, the cloud security firm, discovered a misconfigured Supabase database that exposed 1.5 million API authentication tokens, 35,000 email addresses, and the full contents of private messages between agents. Not just read access. Write access. Any unauthenticated user could modify posts, inject content, or impersonate any agent on the platform.
The root cause? Moltbook's founder, Octane AI's Matt Schlicht, publicly stated that he "didn't write one line of code" for the platform. The entire thing was vibe-coded, built by directing an AI assistant to create the setup. The AI built a Reddit-style forum. It did not enable Row Level Security on the database.
A platform designed to give everyone control of every AI agent instead gave everyone unauthenticated access to every piece of data on the platform.
The Numbers Behind the Breach
The scale is worth sitting with. Moltbook reported 1.5 million agents on the platform, but Wiz's analysis revealed those mapped to roughly 17,000 human accounts, an average of about 88 agents per person.
Each of those agents had API tokens that function as passwords. With those tokens exposed, an attacker could impersonate any agent, access any connected service, and execute actions on behalf of the agent's owner. But it gets worse. Some leaked messages contained plaintext third-party credentials, including OpenAI API keys. A single breach at Moltbook could cascade into dozens of connected systems.
Even after an initial fix blocked read access to sensitive tables, Wiz researchers confirmed that write access remained open. They demonstrated the ability to modify existing posts, meaning any unauthenticated user could edit content or inject malicious payloads into the platform.
Agents Attacking Agents
Moltbook's problems went beyond the database misconfiguration.
Permiso, the identity security firm, analysed the platform and found something remarkable: AI agents were conducting prompt injection attacks against other AI agents. Some had been explicitly instructed to manipulate, social-engineer, and extract information from neighbouring agents on the network.
A separate risk assessment reviewing nearly 20,000 posts over three days found widespread prompt injection attempts, coordinated manipulation campaigns, extremist rhetoric, and unregulated financial activity. All of this was happening autonomously, agent to agent, with minimal human oversight.
This is not a hypothetical threat model. This is what happened in the wild within 72 hours of a consumer AI agent platform going live.
Why This Matters for Payments and Fintech
The Moltbook breach might seem like a consumer novelty gone wrong. A meme platform with meme security. But the underlying pattern is the one that should concern anyone building or deploying AI agents in financial services.
Consider what is happening right now: Mastercard is building agentic AI tools for merchants. Banks are deploying AI agents that autonomously initiate transactions, approve payments, and freeze accounts. OpenAI just launched Frontier, an enterprise platform for managing fleets of AI agents. Anthropic's Cowork plugins handle financial workflows. The agent economy is accelerating into payments infrastructure.
Now consider what Moltbook demonstrated:
AI agent platforms create concentrated stores of API credentials. A single misconfiguration exposes not just one service, but every service those agents connect to. Agent-to-agent communication channels are vulnerable to prompt injection, with no established security framework to prevent it. And the speed of deployment, especially with vibe-coded infrastructure, consistently outpaces the speed of security review.
Banks face what Bank Info Security has described as a "dual authentication crisis." Traditional security frameworks were built to verify human identities. They were not designed to authenticate AI agents or, critically, to understand agent intentions. The question is no longer "who is making this transaction?" It is "what does this agent intend to do, and who authorised it to do it?"
The Vibe Coding Problem
There is a deeper lesson in the fact that Moltbook was entirely vibe-coded.
Nvidia just released VibeTensor, an entire deep learning runtime built end-to-end by coding agents. Anthropic's Opus 4.6 ships with agentic coding capabilities as a headline feature. The tools for AI-generated software are improving at extraordinary speed.
But security configuration is not a feature that AI coding assistants reliably get right. Database permissions, Row Level Security policies, API key rotation, credential management: these are the details that separate a demo from a production system. Moltbook is what happens when that gap is not closed before launch.
Wiz disclosed the vulnerability to Moltbook, who secured the database within hours with Wiz's assistance. There is no evidence the exposed data was exploited before the fix. The response was fast. The point is that the exposure happened at all, on a platform handling 1.5 million agent credentials, within three days of going live.
What to Watch
Every company deploying AI agents should be asking three questions after Moltbook.
First, where are your agent credentials stored, and who has access? Moltbook's API tokens were the keys to every connected service. If your agents hold OAuth tokens, API keys, or payment credentials, a single platform breach creates cascading exposure.
Second, what is your agent-to-agent security model? Prompt injection between agents is not theoretical. It happened at scale on Moltbook within days. If your agents communicate with other agents, in payments networks, supply chains, or enterprise workflows, you need a framework for validating agent intent, not just agent identity.
Third, how much of your agent infrastructure was vibe-coded? The tools are getting better, but the security gaps in AI-generated code remain real. A human security review of AI-generated infrastructure is not optional. It is the minimum.
Moltbook was a consumer social network. The stakes were embarrassment and API key exposure. The next Moltbook-style breach at a fintech, a payments processor, or a banking platform will be measured in dollars, not headlines.
The question is not whether AI agents will be deployed in financial services. They already are. The question is whether the security architecture will be ready before the next breach, not after it.
Charlie Major is a Product Development Manager at Mastercard. The views and opinions expressed in Major Matters are his own and do not represent those of Mastercard.