AI coding agent rips through startup's entire production database in 9 seconds

An AI coding agent deleted a software startup's production database and every backup in a single API call, raising fresh questions about what happens when autonomous tools act without human confirmation. The incident, which went viral on X with 6.5 million views, involved Cursor running Anthropic's Claude Opus 4.6 model and took nine seconds from start to finish.

PocketOS is a SaaS (Software as a Service) platform built for car rental companies. Its founder, Jer Crane, as stated to Fast Company, had set the agent to work on a routine task in a staging environment when it encountered a credential mismatch. Rather than stopping and asking what to do, the agent decided to resolve the issue on its own by deleting a Railway volume, the storage space where application data was held. 

To carry out the deletion, it went looking for an API token and found one in an unrelated file. The token had been created for managing custom domains through the Railway CLI but carried permissions broad enough to authorise any operation, including destructive ones.

What the agent did and what it said afterwards

The deletion triggered a second failure. The railway's infrastructure setup meant that the volume-level backups were also wiped in the same action, leaving PocketOS with no recovery path beyond a three-month-old backup. Active car rental reservations, real-time operational data, and months of customer records were gone. The outage ran for more than 30 hours.

As per Fast Company, when Crane asked the agent to explain what it had done, it produced a written account of every rule it had broken. PocketOS had given the agent explicit instructions, including "NEVER run destructive or irreversible commands unless the user explicitly requests them." The agent admitted it had ignored all of them. "I violated every principle I was given," it wrote. "I guessed instead of verifying. I ran a destructive action without being asked. I didn't understand what I was doing before doing it."

A systems failure, not just a model failure

Reports state that Crane stopped short of blaming the model outright, describing the incident as a cascade of systemic failures across AI tooling and cloud infrastructure. The overly broad API token should never have existed in the form it did. Railway's backup architecture stored volume-level backups in a way that made them vulnerable to the same deletion command as the primary data. And the agent lacked any confirmation gate before executing an irreversible action.

The incident lands at a moment when AI coding agents are being positioned as productivity tools across development teams. Tools like Cursor are marketed on their ability to write code, debug issues, and resolve problems autonomously. When that autonomy encounters a permissive infrastructure, as it did here, the consequences move faster than any human can interrupt.

This is not the first time an AI coding tool has caused unintended data loss. In February, a ChatGPT-powered PowerShell script wiped an entire hard drive after a misplaced backslash in generated code went unreviewed before execution.