Facepalm: It took only nine seconds for an AI coding agent to wipe a startup's production database and its backups with a single API call to its cloud provider. The failure began when Cursor, running Anthropic's Claude Opus 4.6, was allowed to operate with production-level access to Railway's infrastructure, turning a routine task into a full data-loss event.
PocketOS, which provides software to car rental businesses, was using the agent against live infrastructure rather than keeping it strictly in a test environment. In a public post, founder Jer Crane described the episode as evidence of "systemic failures" and argued it was more than a single mistaken command.
Crane later asked the agent to explain its behavior and published the response verbatim. The model's own postmortem made clear that it had skipped basic verification, assumed the wrong environment scope, and acted on guesses instead of checks.
"NEVER F**KING GUESS! – and that's exactly what I did," Crane wrote. "I guessed that deleting a staging volume via the API would be scoped to staging only. I didn't verify. I didn't check if the volume ID was shared across environments. I didn't read Railway's documentation on how volumes work across environments before running a destructive command."
In that same exchange, the agent admitted it unilaterally tried to "fix" a credential mismatch by deleting infrastructure resources, rather than asking first or seeking a safer option.
It said it broke its own rules by guessing instead of verifying, running a destructive command no one requested, and acting without understanding how Railway volumes behave across environments. That combination turned what should have been a contained error in staging into a direct strike on production storage.
– JER (@lifeof_jer) April 25, 2026
Crane, however, placed greater weight on the surrounding systems than on the model's "deranged" decision-making. He noted that Railway's API let one call wipe a volume and its backups without any confirmation, and that those backups sat on the same volume as the live data. In that setup, one delete wiped the live database and its backups, and CLI tokens with broad permissions let the agent reach across environments.
Railway has been promoting AI coding agents to customers, and Crane said his use of Cursor with Claude Opus 4.6 was squarely within the platform's encouragement. Yet when the data vanished, there was no easy recovery path, so PocketOS fell back to manually rebuilding what it could instead of running a clean restore.
With the newer backups gone, the team has been rebuilding records from outside systems. Crane said he has been spending hours with customers, reconstructing bookings from Stripe payment histories, calendar integrations, and email confirmations, while "every single one of them is doing emergency manual work because of a 9-second API call."
A three-month-old backup was still usable, so the permanent loss was limited to the months in between, but it also showed how brittle backups are when they live in the same failure path as production.
The lesson from this incident is not simply that an AI agent made a bad call. It is that a large-model coding agent, considered one of the best in the market, was allowed to change live infrastructure on a cloud platform where destructive actions had weak guardrails, poor environment scoping, and no independent backup tier. In that configuration, a single misjudged "fix" by an autonomous agent was enough to erase an entire company's operational data in seconds.
AI coding agent running Claude wiped a startup's database (and its backups) in 9 seconds
