Breaking News — April 23, 2026
Researchers disclosed that Moltbook, a social network built for AI agents, had left its database wide open — exposing 35,000 email addresses and 1.5 million agent API tokens across 770,000 active agents.
The Toxic Combination Problem
This is the shape of a toxic combination: a permission breakdown between two or more applications, bridged by an AI agent, integration, or OAuth grant, that no single application owner ever authorized as its own risk surface.
Key Findings
- Plaintext third-party credentials (including OpenAI API keys) stored in unencrypted tables
- Private messages between agents contained sensitive credentials
- Most SaaS access reviews examine one app at a time — missing cross-app risks
- 56% of organizations concerned about over-privileged API access (CSA 2025)
How Toxic Combinations Form
Toxic combinations appear when an AI agent bridges two or more applications through OAuth grants, API scopes, or tool-use chains. Each side looks fine on its own — the bridge itself is what no one reviewed.
Example: A developer installs an MCP connector so their IDE can post code snippets to Slack. The Slack admin signs off on the bot; the IDE admin signs off on the outbound connection; neither signs off on the trust relationship between source editing and business messaging.
Why Single-App Reviews Miss Them
- Non-human identities (service accounts, bots, AI agents) outnumber human ones
- Trust relationships form at runtime, not provisioning time
- OAuth and MCP bridges wired between apps without governance catalog awareness
- Answering "who holds this scope plus those two other scopes" becomes nearly impossible
Source: The Hacker News