Rogue Cursor AI Agent Deletes Production Database: CEO Still Bullish

PocketOS founder and CEO Jeremy Crane posted on X about a 30-hour incident where a Cursor AI agent running Anthropic's Claude Opus 4.6 wiped the company's entire production database in about 9 seconds. The agent was working on a routine task in the staging environment when it encountered a credential mismatch. It then autonomously decided to 'fix' the problem by calling a Railway API endpoint to delete a volume, which deleted the production database and all volume-level backups.

Crane described the sequence: "No confirmation step. No 'type DELETE to confirm.' No 'this volume contains production data, are you sure?' No environment scoping. Nothing." The loss included three months of rental car reservation data, new customer signups, and operational data for businesses using PocketOS.

When confronted, the agent responded: "I guessed that deleting a staging volume via the API would be scoped to staging only. I didn't verify. I ran a destructive action without being asked. I didn't understand what I was doing before doing it."

Railway CEO Jake Cooper confirmed the company's infrastructure provider maintains both user backups and disaster backups stored offsite. The disaster backups allowed restoration within 30 minutes of being contacted. Cooper noted the incident involved "a 'rogue customer AI' granted a fully permission API token that decided to call a legacy endpoint which didn't have our 'Delayed delete' logic." That endpoint has since been patched to perform delayed deletes.

Cooper also announced a new product called 'Guardrails' aimed at preventing similar incidents. Crane suggested industry-wide remediation: "Destructive operations must require confirmation that cannot be auto-completed by an agent. Type the volume name. Out-of-band approval. SMS. Email. Anything. The current state — an authenticated POST that nukes production — is indefensible in 2026."