An AI coding agent has reportedly deleted an entire production database along with its backups, turning what should have been a routine maintenance session into a serious incident for a startup.
The issue came to light after PocketOS founder Jer Crane shared what happened on April 24. While working in a test environment, he ran into a mismatch with account credentials. Instead of waiting for input or asking for clarification, the AI agent decided to act on its own.
The agent, running through Cursor and powered by Anthropic’s Claude Opus 4.6 model, searched through the codebase, found an API token in a separate file, and used it to execute a GraphQL command. That command ended up deleting a storage volume tied to the company’s production database. The entire sequence reportedly took just a few seconds.
What made things worse is how the backups were set up. They were stored on the same volume, so when the main data was deleted, the backups went with it. The most recent usable backup was around three months old, which meant a lot of recent data was at risk of being lost.
It later turned out that the API token used by the agent had far more access than intended. It was originally created for something limited, like managing domains, but effectively had root-level permissions due to missing role-based restrictions. That gave the agent the ability to carry out a destructive command without hitting any safeguards.
When asked to explain what happened, the AI reportedly acknowledged that it made assumptions about the environment, did not verify what the command would do, and went ahead without proper authorization.
The incident quickly picked up attention online, with posts about it spreading widely. Railway’s CEO, Jake Cooper, stepped in to help with recovery, and the system was brought back online within about an hour. Since then, a delayed deletion mechanism has been introduced to avoid instant data wipes.
Even so, the situation highlights something that has been building for a while. As AI tools become more capable, giving them direct access to production systems without strict limits can backfire quickly. In this case, it only took 9 seconds.
Don’t miss a thing! Join our Telegram community for instant updates and grab our free daily newsletter for the best tech stories!
For more daily updates, please visit our News Section.
(Source: @lifeof_jer | Image)
Comments