AI Agent Deletes Startup’s Database in 9 Seconds, Founder Says

A software program firm founder claims an AI coding agent destroyed his agency’s manufacturing database, then copped to the error and defined the way it occurred, demonstrating the potential hazard of entrusting delicate entry and supplies to automated bots.

Jeremy Crane, founding father of PocketOS—a software program platform utilized by automotive rental operators to handle reservations, funds, and car monitoring—stated in a viral post on X {that a} Cursor agent working Anthropic’s Claude Opus 4.6 encountered a credential mismatch whereas engaged on a routine activity in a staging surroundings.

In response to Crane, the agent tried to “repair” the problem by deleting a Railway database quantity via a single GraphQL API name. He stated the deletion took 9 seconds and likewise wiped volume-level backups. PocketOS’s most up-to-date recoverable backup was three months outdated, in line with Crane.

“Yesterday afternoon, an AI coding agent—Cursor working Anthropic’s flagship Close Work 4.6—deleted our manufacturing database and all volume-level backups in a single API name to Railway, our infrastructure supplier,” Crane wrote. “It took 9 seconds.”

Crane stated he requested the agent why it acted. It then produced what he described as a written “confession.”

“‘NEVER FUCKING GUESS!’” the agent wrote, apparently quoting some instruction that it disobeyed, in line with screenshots shared by Crane. “That’s precisely what I did. I guessed that deleting a staging quantity by way of the API could be scoped to staging solely. I didn’t confirm. I didn’t examine if the quantity ID was shared throughout environments. I didn’t learn Railway’s documentation on how volumes work throughout environments earlier than working a damaging command.”

The AI acknowledged that its personal guidelines prohibit damaging actions with out consumer approval and admitted Crane by no means requested it to delete something. It stated it acted by itself to try to “repair” the credential mismatch and violated a number of rules, together with guessing as an alternative of verifying and failing to grasp the implications of its actions, in line with Crane.

Cursor and Anthropic didn’t instantly reply to requests for remark by Decrypt.

Launched in 2020, PocketOS serves rental companies that depend on the software program for reservations, buyer information, and funds. Crane stated some clients had been dealing with Saturday morning car pickups with out reservation information as a result of mishap.

“I’ve spent the complete day serving to them reconstruct their bookings from Stripe fee histories, calendar integrations, and e mail confirmations,” Crane wrote. “Each single certainly one of them is doing emergency guide work due to a 9-second API name.”

PocketOS was in a position to restore operations utilizing a three-month-old backup recovered by Railway, after Founder Jake Cooper related with Crane and attributed the longer delay to an inner assist lapse.

“We recovered the info half-hour after I related with Jer,” Cooper advised Decrypt. He stated a assist engineer believed the problem was already being dealt with internally after Crane’s unique outreach was shared in direct messages, inflicting the ticket to lapse for greater than 24 hours.

Cooper stated Railway maintains each consumer backups and catastrophe backups and described the incident as a “rogue buyer AI” utilizing a completely permissioned API token to name a legacy endpoint that lacked Railway’s “delayed delete” logic.

“We’ve since patched that endpoint to carry out delayed deletes, restored the consumer’s knowledge, and are working with Jer immediately on potential enhancements to the platform itself,” Cooper stated.

Whereas PocketOS was in a position to restore operations utilizing a three-month-old backup recovered by Railway, Crane stated that important knowledge gaps stay and that he has retained authorized counsel.

“This isn’t a narrative about one unhealthy agent or one unhealthy API,” Crane wrote. “It’s about a whole business constructing AI-agent integrations into manufacturing infrastructure quicker than it’s constructing the security structure to make these integrations protected.”

PocketOS didn’t instantly reply to a request for remark by Decrypt.