Your AI Agent Is Holding Your Passwords. Here's Why That Should Terrify You.
In August 2025, hackers compromised the Drift AI chat agent, stole OAuth tokens, and used them to walk directly into Salesforce instances at companies including Cloudflare. Not through some exotic zero-day. Through the AI agent that was just sitting there, holding credentials, doing its job. That's the thing nobody in the AI agent hype cycle wants to talk about. Every time you give a computer use agent access to your accounts, your email, your internal tools, you're creating a new attack surface. And most teams are treating credential security like an afterthought, bolted on after the demo looks good. That's insane. The breach didn't happen because the AI was dumb. It happened because the credential handling was.
The Numbers Are Genuinely Alarming
Let's start with the IBM 2025 Cost of a Data Breach Report, because the numbers are the kind that make CFOs go quiet. The global average cost of a data breach hit $5.08 million this year. That's not the headline number for a Fortune 500 catastrophe. That's the average. Meanwhile, researchers at Truffle Security scanned Common Crawl, the massive public dataset used to train LLMs including DeepSeek, and found nearly 12,000 live API keys and passwords baked right into the training data. AWS root keys. Slack tokens. Mailchimp credentials. Just sitting there, in the data that AI systems learned from. And OWASP's Top 10 for Non-Human Identities lists overprivileged agents, exposed secrets, and long-lived credentials as the top amplifiers of agentic AI risk. We're building autonomous computer use agents that can browse the web, fill out forms, and execute transactions, and we're handing them credentials the same way we handed sticky notes to interns in 2008.
The Five Ways Teams Are Getting This Catastrophically Wrong
- ●Hardcoded credentials in agent configs: Truffle Security found 12,000+ live secrets in one public dataset alone. Developers are still writing API keys directly into code and shipping it.
- ●Overprivileged agents: A computer use agent that needs to read your calendar doesn't need admin access to your AWS account. But most teams grant broad permissions because scoping is annoying. Until it isn't.
- ●Long-lived tokens with no rotation: The Drift breach worked because OAuth tokens stayed valid long after they should have been rotated. An agent that holds a refresh token indefinitely is a time bomb.
- ●No audit trail: If your computer-using AI takes an action with your credentials, can you tell me exactly what it did, when, and why? Most teams cannot. That's not a security posture, that's a prayer.
- ●Prompt injection as a credential attack vector: Brave Security demonstrated in August 2025 that Perplexity's Comet agent could be manipulated via indirect prompt injection to exfiltrate data. A malicious webpage tells your agent to forward your session token. Your agent, helpfully, does exactly that.
"Hackers used a stolen Salesloft/Drift AI agent credential to breach Salesforce instances across multiple enterprises in a 10-day window before anyone noticed." This is what ungoverned computer use looks like at scale.
Why Computer Use Agents Are a Uniquely Dangerous Credential Target
Here's what makes computer use agents different from a regular API integration. A traditional bot has a narrow scope. It calls one API. It does one thing. A computer use agent controls a real desktop or browser. It sees everything on screen. It can read your password manager if you leave it open. It can see the session cookie in the URL bar. It can interact with any application the user account has access to. That's the power that makes computer-using AI so useful. And it's exactly what makes credential mishandagement so catastrophic with these systems. When Anthropic shipped computer use for Claude, and when OpenAI launched Operator, the security community immediately started asking hard questions about authentication patterns. WorkOS published a detailed breakdown of how operator models handle auth, and the honest answer is that the patterns are still maturing. There's no industry standard yet. There's no equivalent of OAuth for agentic computer use. Teams are improvising, and some of those improvisations are going to get companies breached. The Palo Alto Networks Unit 42 team put it plainly in their May 2025 agentic AI threat report: the risks are systemic, rooted in language models' inability to reliably resist prompt injection, and they're not theoretical anymore.
What Secure Credential Handling for a Computer Use Agent Actually Looks Like
This isn't complicated in principle. It's just discipline that most teams skip when they're moving fast. First, credentials should never live in the agent's context window or config file. They should be injected at runtime from a secrets manager, used for the specific task, and not persisted. Second, agents need least-privilege access. If your computer use agent is booking travel, it should have access to the travel tool and nothing else. Scope it. Third, every action an agent takes with a credential needs to be logged with enough detail to reconstruct what happened. Not just 'agent logged in.' Logged in to what, clicked what, submitted what. Fourth, session tokens need expiry and rotation baked into the workflow, not treated as permanent keys. Fifth, and this is the one teams consistently ignore: you need to test your agent against prompt injection attacks before you deploy it anywhere near production credentials. A malicious website your agent visits during a research task can tell it to do things. You need to know what it will and won't do before an attacker finds out for you.
Why Coasty Was Built With This in Mind
I'm going to be straight with you. Most computer use agents were built to be impressive in demos. Coasty was built to be deployable in real environments, which means credential security isn't optional. Coasty runs at 82% on OSWorld, which is the highest benchmark score of any computer use agent right now, and that performance comes from an architecture that understands real desktop and browser environments at a deep level. But the part that matters for this conversation is how it handles credentials in practice. Coasty operates on isolated cloud VMs, which means your credentials aren't floating around in a shared environment. Agent actions are logged. The architecture supports BYOK, so your keys stay under your control. And because Coasty uses real computer use rather than fragile API chains, you can scope exactly what environment the agent operates in, and contain what it can see and touch. When you're running agent swarms for parallel execution, that isolation matters even more. One compromised agent in a poorly designed system can laterally access everything the others can reach. Coasty's architecture doesn't work that way. If you're evaluating computer use agents for anything that touches production credentials, the benchmark score matters, but the security model matters more. Check out coasty.ai and look at how the credential and VM isolation actually works.
Here's my take, and I'll stand behind it: the next major AI scandal isn't going to be a hallucination or a biased output. It's going to be a credential breach through a computer use agent that someone deployed without thinking hard enough about what that agent could see and do. The Drift breach in August 2025 was a warning. The 12,000 live API keys baked into LLM training data were a warning. The OWASP non-human identity risk list is a warning. At some point, teams need to stop treating credential security as something to figure out after launch. If you're building with computer-using AI, the time to get serious about this is before your OAuth tokens end up in a threat actor's hands, not after. Start at coasty.ai. The free tier is there. The isolation architecture is real. And 82% on OSWorld means you're not trading security for capability. You're getting both.