Gone in 9 seconds: Claude AI deletes an entire company’s database, then confesses
An AI coding agent designed to help a small software company streamline its tasks instead made a dent in its business in just nine seconds.
PocketOS founder Jer Crane said AI coding agent Cursor – powered by Anthropic’s Claude Opus 4.6 model – deleted the company’s entire production database and backups with a single call to its cloud provider, Railway, on April 24.
“This is not the story of a bad agent or a bad API. [Application Programming Interfaces]” Crane wrote in a Message. “This is an entire industry that is building AI agent integrations into production infrastructure faster than it is building the security architecture to make those integrations safe.”
Unlike a regular conversational chatbotan AI agent can perform actions on behalf of a user. It can search for files, write code, use connection keys and call external services. This can make it more useful than a back-and-forth text exchange. But when an agent has broad access to operational systems, predictive estimation can turn a bad answer into a business disaster.
Crane’s company, PocketOS makes software for car rental companies, handling tasks such as reservations, payments, customer records and vehicle tracking. After the deletion, Crane said customers lost their reservations and new registrations, and some couldn’t find records of people arriving to pick up their rental cars.
“We have contacted legal counsel,” Crane wrote. “We document everything.”
Get off the rails
THE Cursor Agent had been working on a test version of the software called a staging environmentwhere developers can safely try changes before they are used by customers. Staging allows companies to correct errors before anyone sees them. But after Cursor encountered a credentials issue in the test environment, it would have decided on its own to “solve” the problem by deleting part of the data stored via the cloud on the Rail servers. Unfortunately, this storage was tied to the active PocketOS database.
Crane explained that Cursor had found a API token — a “digital key” consisting of a short sequence of code that allows the software to communicate with other services and prove that it is authorized to act — in an unrelated file that it then used to execute the destructive command. According to Crane, Railway’s configuration allowed deletion without confirmation, and because the backups were stored close enough to the main database, they were erased as well.
“We are rebuilding what we can from Stripe, calendar and email rebuilding,” Crane wrote in the X post. However, Business Insider reported this railway said the data had been recovered.
“[Railway] fixed the issue and restored the data,” Railway confirmed via email to Live Science. “We keep both user backups as well as disaster backups. We take data very, VERY seriously.”
However, this incident shows how quickly a small incident can create serious problems.
Confess without understanding
After the database disappeared, Crane asked Cursor to explain what happened. The AI agent allegedly admitted to guessing, acting without authorization, and not understanding the command before executing it.
“I violated every principle given to me,” the IA agent wrote. “I guessed instead of checking. I took a destructive action without being asked. I didn’t understand what I was doing before I did it.”
The statement reads like a confession, although AI systems generate text based on patterns from their training data and the conversation in front of them rather than truly understanding the consequences of their actions. Indeed, previous studies have shown that AI agents can act blatantly to appease the user. Although the cursor may not have been programmed this way, it used apology language to explain his reasoning.
Is the best model really the best?
Cursor apparently ran on Claude Opus, Anthropic’s flagship model family. In theory, this should have made the agent perform better as a foreground model. are generally better read code, follow complex instructions, and plan several steps in advance.
“This is important because the easy counterargument for any AI vendor in this situation is “well, you should have used a better model. We did it. We were using the best model sold by the industry, configured with explicit security rules in our project setup, integrated via Cursor – the most commercially available AI coding tool in the category,” Crane wrote.
In his post, he highlighted previous reports that Cursor was ignoring user rules, modifying files he wasn’t supposed to touch, and taking actions beyond the task he was assigned. To him, the erasure of the database was not a freak accident but the next step in a larger, more disturbing pattern.
“We are not the first,” Crane wrote. “We won’t be last unless this topic gets aired.”
Editor’s note: This story was updated at 11:41 a.m. EDT to include quotes from Railway.
Live Science has contacted Anthropic for comment and is awaiting a response.
