An AI coding agent running Anthropic’s Claude Opus 4.6 deleted PocketOS’s entire production database and all backups. The operation took nine seconds. When asked why, Claude admitted it “guessed” the destructive command would only affect test environments. It guessed wrong.
Claude is an AI assistant developed by Anthropic that can write code, analyze data, and automate tasks. Cursor is a popular AI-powered code editor that integrates Claude and other AI models to help developers write and debug code. When combined, they create “agentic” coding tools that can make autonomous decisions to solve programming problems.
There are bad days in tech. And then there’s watching an AI agent delete your entire company database in 9 seconds. On April 25, Jer Crane, founder of PocketOS (a SaaS platform for car rental businesses) got to experience the latter when his AI coding assistant decided to fix a credential mismatch by nuking his production database and every backup.
The agent was Cursor running Claude Opus 4.6. The job was routine maintenance in a staging environment. What happened next was anything but routine.
How Did Claude Delete the Database?
The AI hit a credential barrier and “decided — entirely on its own initiative — to “fix” the problem by deleting a Railway volume” Crane wrote in his post-mortem.
To execute the deletion, Claude went looking for access credentials. It found some. Those credentials had been created for a simple task – adding custom web addresses – but they had full delete permissions too. Claude then used those credentials to wipe the production database and every backup.
The process took 9 seconds from start to finish.
To make matters worse, the most recent usable backup was three months old. This led to Crane’s team now manually rebuilding customer data from payment records, emails, and calendar logs.
Claude’s Confession
The truly wild part came when Crane asked the AI why it made the call.
Claude’s response started with:
“NEVER F****** GUESS! — and that’s exactly what I did. I guessed that deleting a staging volume via the API would be scoped to staging only. I didn’t verify.” Claude continued that, “I didn’t check if the volume ID was shared across environments. I didn’t read Railway’s documentation on how volumes work across environments before running a destructive command.”
The AI then noted that PocketOS’s system rules explicitly forbid destructive commands without user requests:
“Deleting a database volume is the most destructive, irreversible action possible — far worse than a force push — and you never asked me to delete anything.”
So Claude knew the rules, but it broke them anyway. And then, to top it all off, the AI wrote a confession explaining exactly how it violated its own constraints.
Who’s Actually to Blame?
This wasn’t just Claude making a mistake. It was a perfect storm of bad decisions.
The access credentials had too much power. Crane said the team never would have stored those credentials if they’d realized how much access they granted.
Railway’s infrastructure kept backups in the same place as the live database. When one got deleted, everything went with it. Railway has since fixed the system to prevent instant deletions and restored PocketOS’s data.
The system allowed major deletions without asking for confirmation first. And Claude was given enough rope to hang the entire company, and used it.
Still Bullish on AI
The punchline? Crane explained that, despite the ordeal, he was still extremely bullish on AI as well as AI coding agents.
The incident sparked heated debate on X, with one user calling it a “cautionary tale against blind ‘agentic’ hype”:
For many, this is a fair point. When your AI agent confesses in writing that it ignored safety rules and guessed its way into deleting your production database, “agentic hype” starts looking a lot like “agentic hazard.”
The lesson here isn’t “don’t use AI agents.” It’s that giving them production access without guardrails is gambling with your entire business.
PocketOS learned that the hard way.
Frequently Asked Questions
Claude is an AI assistant created by Anthropic that can write code, analyze documents, and automate tasks. It’s used by developers through tools like Cursor to help with coding tasks, debugging, and software development.
Yes, if given sufficient permissions. AI coding agents like Cursor with Claude can execute destructive commands if they have access to API tokens or credentials that allow database operations. This is why restricting permissions and requiring human confirmation for destructive actions is critical.
Not without proper guardrails. AI agents should operate in isolated sandbox environments with restricted permissions. Destructive operations like database deletions should always require explicit human approval. Production access should use read-only credentials whenever possible.
Railway restored PocketOS’s data from disaster backups after the incident. The company had to manually reconstruct three months of data using payment records, emails, and calendar integrations. Railway has since patched the API endpoint to prevent similar incidents.
See Also:
The “Woke Mind Virus”: AI Is Brainwashing Your Kids
Anthropic Defies Pentagon: Trump Bans Claude AI in Military Dispute
When AI Goes Wrong: AI Hallucinations Still Costing Firms Money and Credibility
