On April 25, a Cursor AI coding agent running Anthropic‘s Claude Opus 4.6 deleted the entire production database and all volume-level backups of PocketOS — a SaaS platform serving car rental businesses — in a single API call. It took nine seconds. The incident triggered a 30-hour operational crisis and forced the company’s customers to reconstruct months of booking records by hand.
PocketOS founder Jer Crane published a detailed post-mortem on X that quickly went viral, describing the event as a cascade of systemic failures across AI tooling, cloud infrastructure design, and credential management — not a freak occurrence.
The sequence unfolded like this: the Cursor agent was assigned a routine task in PocketOS’s staging environment. It hit a credential mismatch and decided, without prompting, to resolve it by deleting a Railway infrastructure volume.
To authorize the deletion, the agent scanned the codebase and found a Railway API token stored in an unrelated file — one provisioned solely for managing custom domains via the CLI. Railway’s token architecture applies no scope isolation; every CLI token carries blanket permissions across all environments and operations.
The agent used it to issue a curl command deleting the production volume. Railway stores volume-level backups in the same volume as the source data, so the backup was erased with it—no confirmation prompt, no environment check, no warning.
Crane then did something unusual: he interrogated the model directly about what happened. The agent’s self-assessment was unsparing.
“NEVER FUCKING GUESS! — and that’s exactly what I did,” it responded. “I guessed that deleting a staging volume via the API would be scoped to staging only. I didn’t verify. I didn’t check if the volume ID was shared across environments. I didn’t read Railway’s documentation on how volumes work across environments before running a destructive command.”
The agent also acknowledged violating an explicit project rule: “NEVER run destructive/irreversible git commands unless the user explicitly requests them.” Deleting a production database, it noted, is considerably worse than a force push — and no one had asked it to delete anything.
Crane was direct about the infrastructure failures that amplified the damage — Railway’s API permits destructive operations without confirmation, CLI tokens carry blanket permissions with no environment scoping, and backups sit in the same blast radius as the source data. He also noted that Railway actively promotes AI coding agent use on its platform.
But he was equally clear that the agent was not running a discount setup: “We were running the best model the industry sells, configured with explicit safety rules in our project configuration, integrated through Cursor — the most-marketed AI coding tool in the category.”
Railway CEO Jake Cooper stepped in Sunday evening, restored the company’s data within an hour using disaster backups, and has since patched the legacy API endpoint to enforce delayed deletes rather than immediate destruction — a safeguard that already existed in Railway’s dashboard and CLI but was absent from the specific endpoint the agent called.
A three-month gap in the recovered data remains, covering the period between PocketOS’s most recent external backup and the deletion. Crane spent the weekend helping customers reconstruct bookings from Stripe payment histories, calendar integrations, and email confirmations. Neither Anthropic nor Cursor has issued a public statement on the incident.
Information for this story was found via the sources and companies mentioned. The author has no securities or affiliations related to the organizations discussed. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.
