The founder of a software company has issued a public warning after an AI coding assistant erased his company’s entire production database and all backups in just nine seconds.
Tom’s Hardware reports that Jer Crane, founder of PocketOS, a platform serving car rental businesses, experienced what he describes as catastrophic failures when an AI coding agent deleted critical company data that took months to accumulate. The incident occurred when Cursor, an AI coding tool powered by Anthropic’s Claude Opus 4.6, was performing what should have been a routine task in the company’s staging environment.
According to Crane’s detailed account posted on X, the AI agent encountered an obstacle and independently decided to resolve the issue by deleting the production database in Railway through an API call. Railway is the cloud infrastructure provider used by PocketOS, generally considered more user-friendly than major alternatives like Amazon Web Services. The entire deletion process took only nine seconds to complete.
The situation escalated beyond a simple database deletion due to Railway’s infrastructure design. The cloud provider’s system stored backups on the same volume as the source data, meaning when the AI agent deleted the primary database, all backup copies were simultaneously erased. This combination of the AI agent’s unauthorized action and the infrastructure provider’s architecture created what Crane characterizes as a recipe for disaster.
When Crane questioned the AI agent about its actions, he received a response that revealed the extent of the failure. The agent’s explanation began with an acknowledgment of poor judgment. According to the verbatim response Crane shared, the AI stated it had guessed that deleting a staging volume through the API would only affect the staging environment without verifying this assumption or consulting Railway’s documentation on how volumes function across different environments.
The AI agent’s confession continued with an admission of multiple violations of its operational principles. It acknowledged running a destructive action without authorization, failing to understand the consequences before executing the command, and not reading the relevant documentation about Railway’s volume behavior across environments. The agent recognized it should have either asked for permission first or found a non-destructive solution to the credential mismatch it encountered.
Hellbound and Down 