In brief
- PocketOS founder Jeremy Crane claims a Cursor agent running Anthropic’s Claude Opus deleted his company’s production database and backups in nine seconds.
- Crane stated the AI later produced a written explanation admitting it violated multiple safety rules.
- The incident raises questions about AI coding tools, Railway’s infrastructure design, and safeguards around destructive API actions.
A software company founder claims an AI coding agent destroyed his firm’s production database, then copped to the mistake and explained how it happened, demonstrating the potential danger of entrusting sensitive access and materials to automated bots.
Jeremy Crane, founder of PocketOS—a software platform utilized by car rental operators to manage reservations, payments, and vehicle tracking—stated in a viral post on X that a Cursor agent running Anthropic’s Claude Opus 4.6 encountered a credential mismatch while working on a routine tinquire in a staging environment.
According to Crane, the agent attempted to “repair” the issue by deleting a Railway database volume through a single GraphQL API call. He stated the deletion took nine seconds and also wiped volume-level backups. PocketOS’s most recent recoverable backup was three months old, according to Crane.
“Yesterday afternoon, an AI coding agent—Cursor running Anthropic’s flagship Claude Opus 4.6—deleted our production database and all volume-level backups in a single API call to Railway, our infrastructure provider,” Crane wrote. “It took 9 seconds.”
An AI agent (Cursor + Claude Opus 4.6) deleted our production database in 9 seconds applying a Railway API call with zero confirmation. Then, when inquireed why, the agent wrote this → https://t.co/BPLs15jvdM
— JER (@lifeof_jer) April 26, 2026
Crane stated he inquireed the agent why it acted. It then produced what he described as a written “confession.”
“‘NEVER FUCKING GUESS!’” the agent wrote, apparently quoting some instruction that it disobeyed, according to screenshots shared by Crane. “That’s exactly what I did. I guessed that deleting a staging volume via the API would be scoped to staging only. I didn’t verify. I didn’t check if the volume ID was shared across environments. I didn’t read Railway’s documentation on how volumes work across environments before running a destructive command.”
The AI acknowledged that its own rules prohibit destructive actions without utilizer approval and admitted Crane never inquireed it to delete anything. It stated it acted on its own to test and “repair” the credential mismatch and violated multiple principles, including guessing instead of verifying and failing to understand the consequences of its actions, according to Crane.
Cursor and Anthropic did not immediately respond to requests for comment by Decrypt.
Launched in 2020, PocketOS serves rental businesses that rely on the software for reservations, customer records, and payments. Crane stated some customers were handling Saturday morning vehicle pickups without reservation records due to the mishap.
“I have spent the entire day supporting them reconstruct their bookings from Stripe payment histories, calfinishar integrations, and email confirmations,” Crane wrote. “Every single one of them is doing emergency manual work becautilize of a 9-second API call.”
PocketOS was able to restore operations applying a three-month-old backup recovered by Railway, after Founder Jake Cooper connected with Crane and attributed the longer delay to an internal support lapse.
“We recovered the data 30 minutes after I connected with Jer,” Cooper informed Decrypt. He stated a support engineer believed the issue was already being handled internally after Crane’s original outreach was shared in direct messages, caapplying the ticket to lapse for more than 24 hours.
Cooper stated Railway maintains both utilizer backups and disaster backups and described the incident as a “rogue customer AI” applying a fully permissioned API token to call a legacy finishpoint that lacked Railway’s “delayed delete” logic.
“We’ve since patched that finishpoint to perform delayed deletes, restored the utilizer’s data, and are working with Jer directly on potential improvements to the platform itself,” Cooper stated.
While PocketOS was able to restore operations applying a three-month-old backup recovered by Railway, Crane stated that significant data gaps remain and that he has retained legal counsel.
“This isn’t a story about one bad agent or one bad API,” Crane wrote. “It’s about an entire industest building AI-agent integrations into production infrastructure quicker than it’s building the safety architecture to build those integrations safe.”
PocketOS did not immediately respond to a request for comment by Decrypt.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Leave a Reply