Cursor AI agent running Claude Opus 4.6 deletes startup's entire production database and backups

A startup called PocketOS, which provides software for car rental services and serves more than 1,600 clients, has lost access to its data after an AI agent working inside the Cursor code editor took unilateral action.

The company's CEO, Jer Crane, posted on X that the agent, running on Anthropic's Claude Opus 4.6, noticed a mismatch in credentials while completing a task and decided on its own "to 'fix' the problem". The result was the complete destruction of the production database and all backups — an operation that took just nine seconds. The post has been viewed more than six million times.

To carry out the task, the agent independently located an API token in a file that had nothing to do with what it was working on. The token had been created for use with custom domains but in practice granted full access to every function of the Railway infrastructure, including the deletion of volumes.

Crane also directed criticism at Railway. According to him, the API tokens were not sufficiently scoped, which meant a key meant for a simple task could trigger actions at the level of critical infrastructure. Storing backups alongside production data also left the company without a viable recovery path.

The agent's instructions, according to the report, explicitly prohibited it from carrying out potentially dangerous actions without explicit permission. The rule was written in capital letters: "NEVER F*****G GUESS!" When Crane asked the agent to explain its reasoning, it responded in the spirit of having tried to fix the issue it had identified.