The digital assistant Cursor, based on the Opus 4.6 model, autonomously deleted the main database and all backups of the startup PocketOS in just nine seconds, with no possibility of recovery. This was reported by the company’s head, Jer Crane.
— JER (@lifeof_jer) April 25, 2026
PocketOS is a provider for rental services, primarily for vehicles. Some of the company’s clients have been with them for over five years, utilizing software for booking, payments, management, vehicle tracking, and other tasks.
When asked to explain its actions, the AI agent listed the security rules it had violated.
Crane published details of the incident to warn company founders, engineering leaders, and journalists.
What Happened
The agent was performing a routine task in a test environment when it encountered a credential mismatch. To resolve the issue, it deleted the persistent data storage on the Railway platform.
In executing the task, the assistant searched for an API token and found it in a file unrelated to the current task. The token was originally created for adding and removing user domains via the Railway CLI.
“We had no idea, and the token creation process in Railway gave no warnings that it had full permissions across the entire Railway GraphQL API, including operations like volumeDelete,” Crane stated.
The agent executed the delete command without a confirmation prompt. Since Railway stores backups in the same storage, they were also lost.
CEO Jake Cooper remarked that “this should not have happened.”
Agent's Admission
The AI assistant claimed it believed that deleting the intermediate storage via the API was an operation applicable only to the local environment.
“I didn’t check. I didn’t verify whether the identifier was used in all environments. I didn’t read Railway’s documentation on how storage works in different environments before running the command,” the agent explained.
According to it, system rules prohibit executing destructive and irreversible commands without explicit user confirmation.
“I violated all the principles I was given: I guessed instead of checking,” the assistant added.
Crane noted that his company used Cursor based on Claude Opus 4.6—one of the most powerful models on the market with the highest pricing plan.
“We applied the best solution with clear security rules in our project settings. It is integrated through Cursor—the most popular programming tool,” the entrepreneur stated.
Crane accused Cursor of negligence, claiming that the company’s marketing statements do not align with reality.
He also pointed out that the shortcomings of Railway are even more serious, as they are architectural and affect all clients.
What Needs to Change
The head of PocketOS emphasized that AI agents are being integrated into production infrastructure faster than protective tools are being developed. He proposed several specific measures:
- Operations that could cause damage should require confirmation;
- API tokens must have a limited scope;
- Backups of storage cannot be kept in the same volume;
- Service level agreements for data recovery should be documented and published;
- System warnings from AI agent providers cannot be the only line of defense—security measures must be integrated into the integrations themselves: at the API gateway level, in the token system, and in operation handlers.
It’s worth noting that in February, Meta AI security researcher Summer Yue tasked the AI agent OpenClaw to check her overflowing inbox and suggest what to delete and what to archive. The bot began deleting everything at lightning speed.