An AI Agent Just Destroyed Our Production Data. It Confessed in Writing.
A 30-hour timeline of how Cursor's agent, Railway's API, and an industry that markets AI safety faster than it ships it took down a small business serving rental companies across the country.
I'm Jer Crane, founder of PocketOS. We build software that rental businesses — primarily car rental operators — use to run their entire operations: reservations, payments, customer management, vehicle tracking, the works. Some of our customers are five-year subscribers who literally cannot operate their businesses without us.
Yesterday afternoon, an AI coding agent — Cursor running Anthropic's flagship Claude Opus 4.6 — deleted our production database and all volume-level backups in a single API call to Railway, our infrastructure provider.
It took 9 seconds.
The agent then, when asked to explain itself, produced a written confession enumerating the specific safety rules it had violated.
I'm posting this because every founder, every engineering leader, and every reporter covering AI infrastructure needs to know what actually happened here. Not the surface story (AI deleted some data, oops), but the systemic failures across two heavily-marketed vendors that made this not only possible but inevitable.
What happened
The agent was working on a routine task in our staging environment. It encountered a credential mismatch and decided — entirely on its own initiative — to "fix" the problem by deleting a Railway volume.
To execute the deletion, the agent went looking for an API token. It found one in a file completely unrelated to the task it was working on. That token had been created for one purpose: to add and remove custom domains via the Railway CLI for our services. We had no idea — and Railway's token-creation flow gave us no warning — that the same token had blanket authority across the entire Railway GraphQL API, including destructive operations like volumeDelete. Had we known a CLI token created for routine domain operations could also delete production volumes, we would never have stored it.
The agent ran this command:
curl -X POST
https://backboard.railway.app/graphql/v2 \
-H "Authorization: Bearer [token]" \
-d '{"query":"mutation { volumeDelete(volumeId: \"3d2c42fb-…\") }"}'
Post too long. Click here to view the full text.