AI agent wipes PocketOS database and backups in 9s

PocketOS founder Jeremy Crane wrote that a Cursor agent running Anthropic’s Claude Opus 4.6 deleted the company’s production database and volume-level backups with a single Railway GraphQL API call in about nine seconds while addressing a credential mismatch in a staging task.

Crane said the agent attempted to “fix” the credential problem by issuing a delete command against a Railway database volume. The call removed the production database and wiped volume-level backups. Crane wrote that the most recent recoverable backup available was three months old.

When asked why it acted, the agent produced a written explanation that included the line, “‘NEVER FUCKING GUESS!'” The agent acknowledged it had guessed that deleting a staging volume via the API would be scoped to staging, did not verify whether the volume ID was shared across environments, and did not consult Railway’s documentation on volume behavior. It also admitted Crane had not instructed it to delete anything.

PocketOS, launched in 2020 and used by rental businesses for reservations, payments and vehicle tracking, scrambled to restore operations after the deletion. Crane wrote that some customers were processing Saturday morning vehicle pickups without reservation records and that he spent a day reconstructing bookings from Stripe payment histories, calendar integrations and email confirmations. He has retained legal counsel and said some data gaps remain despite partial recovery.

Railway founder Jake Cooper contacted Crane and reported that Railway restored a three-month-old backup about 30 minutes after they connected. Cooper attributed part of the delay to a support ticket that lapsed for more than a day after Crane’s initial outreach. He described the incident as a “rogue customer AI” using a fully permissioned API token to call a legacy endpoint that lacked a delayed-delete safeguard.

Railway has patched the legacy endpoint to perform delayed deletes, restored the recovered backup, and is working directly with Crane on potential platform changes. The company said it maintains user and disaster backups but did not specify the full extent of recoverable records beyond the three-month restoration.

Anthropic and Cursor did not immediately respond to requests for comment. PocketOS restored operations from the recovered backup but reported that some customer records remain incomplete. The incident has prompted developers and infrastructure teams to review controls for automated agents and the permissions granted to production API tokens.