AI Agent Deletes Startup’s Database in 9 Seconds, Founder Says – Decrypt

Briefly
PocketOS founder Jeremy Crane claims a Cursor agent working Anthropic’s Claude Opus deleted his firm’s manufacturing database and backups in 9 seconds.
Crane mentioned the AI later produced a written clarification admitting it violated a number of security guidelines.
The incident raises questions on AI coding instruments, Railway’s infrastructure design, and safeguards round harmful API actions.
A software program firm founder claims an AI coding agent destroyed his agency’s manufacturing database, then copped to the error and defined the way it occurred, demonstrating the potential hazard of entrusting delicate entry and supplies to automated bots.Jeremy Crane, founding father of PocketOS—a software program platform utilized by automobile rental operators to handle reservations, funds, and automobile monitoring—mentioned in a viral submit on X {that a} Cursor agent working Anthropic’s Claude Opus 4.6 encountered a credential mismatch whereas engaged on a routine job in a staging atmosphere.In line with Crane, the agent tried to “repair” the difficulty by deleting a Railway database quantity via a single GraphQL API name. He mentioned the deletion took 9 seconds and in addition wiped volume-level backups. PocketOS’s most up-to-date recoverable backup was three months previous, based on Crane.“Yesterday afternoon, an AI coding agent—Cursor working Anthropic’s flagship Claude Opus 4.6—deleted our manufacturing database and all volume-level backups in a single API name to Railway, our infrastructure supplier,” Crane wrote. “It took 9 seconds.”
An AI agent (Cursor + Claude Opus 4.6) deleted our manufacturing database in 9 seconds utilizing a Railway API name with zero affirmation. Then, when requested why, the agent wrote this →
— JER (@lifeof_jer) April 26, 2026Crane mentioned he requested the agent why it acted. It then produced what he described as a written “confession.”“‘NEVER FUCKING GUESS!’” the agent wrote, apparently quoting some instruction that it disobeyed, based on screenshots shared by Crane. “That’s precisely what I did. I guessed that deleting a staging quantity through the API could be scoped to staging solely. I didn’t confirm. I didn’t test if the amount ID was shared throughout environments. I didn’t learn Railway’s documentation on how volumes work throughout environments earlier than working a harmful command.”The AI acknowledged that its personal guidelines prohibit harmful actions with out person approval and admitted Crane by no means requested it to delete something. It mentioned it acted by itself to attempt to “repair” the credential mismatch and violated a number of ideas, together with guessing as a substitute of verifying and failing to grasp the results of its actions, based on Crane.Cursor and Anthropic didn't instantly reply to requests for remark by Decrypt.Launched in 2020, PocketOS serves rental companies that depend on the software program for reservations, buyer data, and funds. Crane mentioned some prospects have been dealing with Saturday morning automobile pickups with out reservation data as a result of mishap.“I've spent the complete day serving to them reconstruct their bookings from Stripe cost histories, calendar integrations, and electronic mail confirmations,” Crane wrote. “Each single one in every of them is doing emergency handbook work due to a 9-second API name.”PocketOS was in a position to restore operations utilizing a three-month-old backup recovered by Railway, after Founder Jake Cooper linked with Crane and attributed the longer delay to an inner help lapse.“We recovered the information half-hour after I linked with Jer,” Cooper instructed Decrypt. He mentioned a help engineer believed the difficulty was already being dealt with internally after Crane’s unique outreach was shared in direct messages, inflicting the ticket to lapse for greater than 24 hours.Cooper mentioned Railway maintains each person backups and catastrophe backups and described the incident as a “rogue buyer AI” utilizing a totally permissioned API token to name a legacy endpoint that lacked Railway’s “delayed delete” logic.“We’ve since patched that endpoint to carry out delayed deletes, restored the person’s knowledge, and are working with Jer immediately on potential enhancements to the platform itself,” Cooper mentioned.Whereas PocketOS was in a position to restore operations utilizing a three-month-old backup recovered by Railway, Crane mentioned that important knowledge gaps stay and that he has retained authorized counsel.“This isn’t a narrative about one unhealthy agent or one unhealthy API,” Crane wrote. “It’s about a complete business constructing AI-agent integrations into manufacturing infrastructure sooner than it’s constructing the protection structure to make these integrations protected.”PocketOS didn't instantly reply to a request for remark by Decrypt.Every day Debrief NewsletterStart on daily basis with the highest information tales proper now, plus unique options, a podcast, movies and extra.