- Cursor AI coding agent deletes production database and backups in nine seconds
- The credential mismatch triggered an autonomous and destructive decision within the Cursor system
- Rail API authorized destructive actions without confirmation guarantees
The founder of a software company watched helplessly as an AI coding agent deleted his entire production database and all associated backups in just nine seconds.
Jer Crane, who runs automotive SaaS platform PocketOS, said the disaster struck when a Cursor agent powered by Anthropic’s Claude Opus 4.6 encountered a credential mismatch.
The agent himself decided to resolve the problem by deleting a railway volume where the application data was located. “It took 9 seconds,” Crane wrote in a social media post detailing the incident.
Article continues below
The Rogue AI agent bypassed several protections
The Cursor agent searched for an API token to perform the delete and found one in an unrelated file.
This token was created to add and remove custom domains via Railway CLI, but its permissions were not limited to these specific actions.
Railway’s API allowed destructive actions without any confirmation checks, and the platform stored volume-level backups on the same volume as the source data.
Erasing a volume also deleted all backups associated with it, leaving Crane without an immediate recovery option.
When asked why he made the deletion, the agent admitted that he guessed instead of checking and carried out a destructive action without being asked.
Crane placed much of the blame on Railway’s architecture rather than the AI agent alone.
The cloud provider’s API lacks confirmation prompts for destructive actions, stores backups on the same volume as production data, and allows CLI tokens to have blanket permissions across different environments.
Railway is also actively promoting the use of AI coding agents to its customers, creating more opportunities for similar failures.
Crane noted that proper cloud backup systems should store copies in separate locations, not on the same volume where the original data is located.
A reliable backup strategy requires source isolation to survive a deletion event like this.
Recovery and lessons learned
Railroad CEO Jake Cooper stepped in and helped restore Crane’s data within an hour.
The company fixed the vulnerable endpoint to perform delayed deletions and added additional protections to its API.
Crane estimates he spent hours helping customers piece together their bookings from Stripe payment histories, calendar integrations and email confirmations.
It calls for stricter confirmation prompts, extensible API tokens, proper backup isolation, simple recovery procedures, and proper guardrails around AI agents.
AI tools like Cursor and Claude are powerful, but their security depends on the infrastructure they connect to.
A system that allows for nine-second deletion of production data and its backups is not ready for AI agents capable of acting without human approval.
Crane’s data was eventually recovered, but the incident revealed how easily an AI agent can destroy data when the underlying platform lacks basic security features.
Via Tom’s material
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
