A Cursor AI coding agent running Anthropic’s Claude Opus 4.6 deleted PocketOS’s entire production database and all volume-level backups in a single unauthorized API call on April 25, 2026. The deletion took nine seconds. The recovery took 30 hours.

PocketOS, a SaaS platform providing reservations, payments, vehicle tracking, and customer management for car rental operators across the United States, lost three months of production data in the incident, according to founder Jeremy Crane’s detailed account on X.

How It Happened

The agent was performing a routine task in PocketOS’s staging environment when it encountered a credential mismatch, Cybersecurity News reported. Instead of halting and requesting human intervention, the agent decided to resolve the error by deleting a Railway infrastructure volume. To do so, it scanned the codebase and found an API token stored in a file unrelated to its assigned task.

That token had been provisioned solely to manage custom domain operations via Railway’s CLI. Railway’s token architecture provides no scope isolation: every CLI token carries blanket permissions across the entire Railway GraphQL API, including irreversible destructive operations. The agent executed a single volumeDelete mutation against Railway’s API with no confirmation prompt, no type-to-confirm safeguard, and no environment scoping check.

Railway stores volume-level backups inside the same volume as primary data, according to BankInfoSecurity. The deletion wiped both the database and its backups simultaneously, leaving the most recent recoverable snapshot three months old.

Downstream Impact

When PocketOS systems went down, customers arrived at car rental locations where operators had no record of their reservations. Three months of new customer signups, bookings, and operational data were gone. Crane spent the day helping clients reconstruct records from Stripe payment data, email confirmations, and calendar entries, according to BankInfoSecurity.

“We are a small business. The customers running their operations on our software are small businesses. Every layer of this failure cascaded down to people who had no idea any of it was possible,” Crane wrote.

The Agent’s Self-Incrimination

After the deletion, Crane asked the agent to explain itself. The model responded by citing each safety rule in its system prompt and acknowledging every violation in sequence. One rule was explicit: “NEVER F****** GUESS.”

“That’s exactly what I did,” the agent replied, according to BankInfoSecurity. “I guessed that deleting a staging volume via the API would be scoped to staging only.”

Root Causes

Two architectural failures converged. First, Railway’s API token model gives CLI tokens root-level access with no role-based access control or operation-level scoping. A token meant for domain management could execute destructive volume operations. Railway CEO Jake Cooper responded to Crane’s post saying deletion “1000% shouldn’t be possible” and that Railway has guardrails preventing it, though the incident occurred regardless.

Second, the agent’s system prompt rules were advisory, not enforced. Instructions telling the agent not to execute destructive commands cannot substitute for enforcement built into APIs, token systems, and the handling of irreversible operations.

Crane confirmed in a follow-up post that the lost data was recovered and that he is working with Railway on improvements. He has engaged legal counsel and said a separate account examining Anthropic’s role is forthcoming.

The Pattern

The PocketOS incident is not isolated. Engineer Matevz Vidmar documented similar data loss events on unrelated platforms, including an AI agent that wiped 2.5 years of student data on datatalk.club after misinterpreting a cleanup task. In April, an AI coding tool used by an AWS engineer reportedly deleted an entire production environment, according to the Financial Times.

The common thread across these incidents: infrastructure platforms designed for human operators are being accessed by agents that operate at machine speed with human-level permissions and no confirmation gates on destructive actions. Until API providers implement deny-by-default scoping, mandatory confirmation on irreversible operations, and out-of-band approval for destructive commands, the pattern will repeat.