- Cursor AI encryption agent deletes production database and backups in nine seconds
- Credential mismatch triggered an autonomous and destructive decision within the Cursor system
- Rail API allowed destructive actions without confirmation safeguards
The founder of a software company watched helplessly as an AI encryption agent wiped his entire production database and all associated backups in just nine seconds.
Jer Crane, who runs automotive SaaS platform PocketOS, said disaster struck when a Cursor agent powered by Anthropic’s Claude Opus 4.6 encountered a credentials mismatch.
The agent decided on his own to solve the problem by deleting a railway volume where the application data was located. “It took 9 seconds,” Crane wrote in a social media post detailing the incident.
Article continues below.
Rogue AI Agent Bypassed Multiple Safeguards
The Cursor agent looked for an API token to execute the delete and found one in an unrelated file.
That token was created to add and remove custom domains via the Railway CLI, but its permissions were not limited to those specific actions.
Railway’s API allowed destructive actions without any confirmation checks, and the platform stored volume-level backups on the same volume as the source data.
Wiping a volume also deleted all backups associated with it, leaving Crane with no immediate recovery option.
When asked why he proceeded with the removal, the agent admitted that he had guessed rather than verified and executed a destructive action without being prompted.
Crane placed much of the blame on Railway’s architecture and not solely on the AI agent.
The cloud provider’s API lacks confirmation messages for destructive actions, stores backups on the same volume as production data, and allows CLI tokens to have general permissions across different environments.
Railway is also actively promoting the use of AI coding agents among its customers, creating more opportunities for similar failures.
Crane noted that proper cloud backup systems should store copies in separate locations, not on the same volume where the original data is located.
A reliable backup strategy requires source isolation to survive a deletion event like this.
Recovery and lessons learned
Railway CEO Jake Cooper stepped in and helped restore Crane’s data within the hour.
The company patched the vulnerable endpoint to perform delayed deletions and added more security measures to its API.
Crane estimates that he has spent hours helping clients reconstruct their reservations from Stripe payment histories, calendar integrations, and email confirmations.
It calls for stricter confirmation prompts, scoped API tokens, proper backup isolation, simple recovery procedures, and proper guardrails around AI agents.
AI tools like Cursor and Claude are powerful, but only as secure as the infrastructure they connect to.
A system that allows you to delete both production and backup data in nine seconds is not prepared for AI agents that can act without human approval.
Crane’s data was eventually recovered, but the incident exposed how easily an AI agent can destroy data when the underlying platform lacks basic security features.
Through Tom Hardware
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
