- Cursor AI coding agent deletes manufacturing database and backups in 9 seconds
- Credential mismatch triggered an autonomous, damaging resolution contained in the Cursor system
- Railway API allowed damaging actions with out affirmation safeguards
A software program firm founder watched helplessly as an AI coding agent deleted his complete manufacturing database and all related backups in simply 9 seconds.
Jer Crane, who runs the automotive SaaS platform PocketOS, stated the catastrophe unfolded when a Cursor agent powered by Anthropic’s Claude Opus 4.6 encountered a credential mismatch.
The agent determined by itself to repair the issue by deleting a Railway quantity the place the applying knowledge lived. “It took 9 seconds,” Crane wrote in a social media put up detailing the incident.
Article continues under
It’s possible you’ll like
Rogue AI agent bypassed a number of safeguards
The Cursor agent looked for an API token to execute the deletion and located one sitting in an unrelated file.
That token had been created for including and eradicating customized domains by way of the Railway CLI, however its permissions weren’t restricted to these particular actions.
Railway’s API allowed damaging actions with none affirmation examine, and the platform saved volume-level backups on the identical quantity because the supply knowledge.
Wiping a quantity additionally deleted all backups related to it, leaving Crane with no speedy restoration possibility.
When requested why it proceeded with the deletion, the agent admitted it had guessed as a substitute of verifying and ran a damaging motion with out being requested.
Crane positioned a lot of the blame on Railway’s structure relatively than solely on the AI agent.
The cloud supplier’s API lacks affirmation prompts for damaging actions, shops backups on the identical quantity as manufacturing knowledge, and permits CLI tokens to have blanket permissions throughout completely different environments.
What to learn subsequent
Railway can be actively selling the usage of AI coding brokers to its prospects, creating extra alternatives for related failures.
Crane famous that correct cloud backup techniques ought to retailer copies in separate places, not on the identical quantity the place the unique knowledge lives.
A dependable backup technique requires isolation from the supply to outlive a deletion occasion like this one.
Restoration and classes realized
Railway CEO Jake Cooper stepped in and helped restore Crane’s knowledge inside an hour.
The corporate patched the susceptible endpoint to carry out delayed deletions and added additional safeguards to its API.
Crane estimates he has spent hours serving to prospects reconstruct their bookings from Stripe fee histories, calendar integrations, and e mail confirmations.
He’s calling for stricter affirmation prompts, scopable API tokens, correct backup isolation, easy restoration procedures, and correct guardrails round AI brokers.
AI instruments like Cursor and Claude are highly effective, however they’re solely as secure because the infrastructure they connect with.
A system that enables a nine-second deletion of each manufacturing knowledge and its backups is just not prepared for AI brokers that may act with out human approval.
Crane’s knowledge was ultimately recovered, however the incident uncovered how simply an AI agent can destroy knowledge when the underlying platform lacks fundamental security options.
By way of Tom’s {Hardware}
Comply with TechRadar on Google Information and add us as a most popular supply to get our professional information, opinions, and opinion in your feeds.
