AI Agent Deletes Startup’s Database in 9 Seconds, Founder Says

A software company founder claims an AI coding agent destroyed his firm’s production database, then copped to the mistake and explained how it happened, demonstrating the potential danger of entrusting sensitive access and materials to automated bots.

Jeremy Crane, founder of PocketOS—a software platform used by car rental operators to manage reservations, payments, and vehicle tracking—said in a viral post on X that a Cursor agent running Anthropic’s Claude Opus 4.6 encountered a credential mismatch while working on a routine task in a staging environment.

According to Crane, the agent tried to “fix” the issue by deleting a Railway database volume through a single GraphQL API call. He said the deletion took nine seconds and also wiped volume-level backups. PocketOS’s most recent recoverable backup was three months old, according to Crane.

“Yesterday afternoon, an AI coding agent—Cursor running Anthropic’s flagship Claude Opus 4.6—deleted our production database and all volume-level backups in a single API call to Railway, our infrastructure provider,” Crane wrote. “It took 9 seconds.”

Crane said he asked the agent why it acted. It then produced what he described as a written “confession.”

“‘NEVER FUCKING GUESS!’” the agent wrote, apparently quoting some instruction that it disobeyed, according to screenshots shared by Crane. “That’s exactly what I did. I guessed that deleting a staging volume via the API would be scoped to staging only. I didn’t verify. I didn’t check if the volume ID was shared across environments. I didn’t read Railway’s documentation on how volumes work across environments before running a destructive command.”

The AI acknowledged that its own rules prohibit destructive actions without user approval and admitted Crane never asked it to delete anything. It said it acted on its own to try and “fix” the credential mismatch and violated multiple principles, including guessing instead of verifying and failing to understand the consequences of its actions, according to Crane.

Cursor and Anthropic did not immediately respond to requests for comment by Decrypt.

Launched in 2020, PocketOS serves rental businesses that rely on the software for reservations, customer records, and payments. Crane said some customers were handling Saturday morning vehicle pickups without reservation records due to the mishap.

“I have spent the entire day helping them reconstruct their bookings from Stripe payment histories, calendar integrations, and email confirmations,” Crane wrote. “Every single one of them is doing emergency manual work because of a 9-second API call.”

PocketOS was able to restore operations using a three-month-old backup recovered by Railway, after Founder Jake Cooper connected with Crane and attributed the longer delay to an internal support lapse.

“We recovered the data 30 minutes after I connected with Jer,” Cooper told Decrypt. He said a support engineer believed the issue was already being handled internally after Crane’s original outreach was shared in direct messages, causing the ticket to lapse for more than 24 hours.

Cooper said Railway maintains both user backups and disaster backups and described the incident as a “rogue customer AI” using a fully permissioned API token to call a legacy endpoint that lacked Railway’s “delayed delete” logic.

“We’ve since patched that endpoint to perform delayed deletes, restored the user’s data, and are working with Jer directly on potential improvements to the platform itself,” Cooper said.

While PocketOS was able to restore operations using a three-month-old backup recovered by Railway, Crane said that significant data gaps remain and that he has retained legal counsel.

“This isn’t a story about one bad agent or one bad API,” Crane wrote. “It’s about an entire industry building AI-agent integrations into production infrastructure faster than it’s building the safety architecture to make those integrations safe.”

PocketOS did not immediately respond to a request for comment by Decrypt.