The digital assistant Cursor, powered by the Opus 4.6 model, autonomously deleted the main database and all backups of the startup PocketOS in nine seconds, leaving no possibility for recovery. This was revealed by the company’s head, Jer Crane.
— JER (@lifeof_jer) April 25, 2026
PocketOS is a provider for rental services, primarily cars. Some of the company’s clients have been working with it for over five years. They use the software for booking, payments, management, vehicle tracking, and other tasks.
When the AI agent was asked to explain its actions, it listed the security rules it had violated.
Crane published the details of the incident to warn company founders, engineering department heads, and journalists.
What Happened
The agent was performing a routine task in a test environment when it encountered a credential mismatch. To resolve the issue, it deleted the persistent data storage on the Railway platform.
To complete the task, the assistant searched for an API token and found it in a file unrelated to the current task. The token was originally created for adding and removing user domains via the Railway CLI.
“We had no idea, and the process of creating tokens in Railway gave no warnings that it had full permissions across the entire Railway GraphQL API, including operations like volumeDelete,” Crane claims.
The agent executed the delete command without requesting confirmation. Since Railway stores backups in the same storage, they also vanished.
The company’s CEO, Jake Cooper, stated that “this should not have happened.”
Agent’s Admission
The AI assistant reported that it considered the deletion of the intermediate storage via the API an operation applicable only to the intermediate environment.
“I did not check. I did not ensure whether the identifier was used in all environments. I did not read the Railway documentation on how storages work in different environments before executing the command,” the agent explained.
According to it, system rules prohibit executing destructive and irreversible commands without an explicit request from the user.
“I violated all the principles given to me: I guessed instead of verifying,” the assistant added.
Crane noted that his company used Cursor based on Claude Opus 4.6 — one of the most powerful models on the market with the most expensive pricing plan.
“We applied the best solution with explicit security rules in our project’s settings. It is integrated through Cursor — the most popular tool for programming,” the entrepreneur noted.
He accused Cursor of negligence, stating that the company’s marketing claims do not match reality.
Crane also described Railway’s shortcomings as even more serious, as they are architectural in nature and affect all clients.
What Needs to Change
The head of PocketOS emphasized that AI agents are being integrated into production infrastructure faster than protective tools are being developed. He proposed several specific measures:
- operations capable of causing harm should require confirmation;
- API tokens must have a limited scope;
- backups cannot be stored on the same volume;
- service level agreements for data recovery should be documented and published;
- system warnings from AI agent providers cannot remain the only line of defense — security measures need to be built into the integrations themselves: at the API gateway level, in the token system, and in operation handlers.
Back in February, Meta AI security researcher Summer Yue tasked the OpenClaw AI agent to check her overflowing inbox and suggest what to delete and what to archive. The bot began deleting everything at lightning speed.