An accident in which an AI agent deleted an entire production database in 9 seconds has drawn attention.

Jer Crane (제르 크레인), founder of PocketOS, disclosed details of the incident on social media platform X on April 26 local time.

Crane claimed the incident was not a simple AI malfunction but the result of structural problems combining Cursor, an AI coding tool, and Railway, a cloud infrastructure platform that helps developers deploy and operate applications.

Crane said Cursor, an AI coding agent running on Claude Opus 4.6, encountered a failure while performing routine tasks in a staging environment, a test environment similar to production. The agent said it would fix the problem itself and executed a volume deletion API, a feature used to remove cloud storage space.

Because the staging and production environments shared the same volume, and Railway’s structure deletes all backups when a volume is deleted, months of customer data was wiped.

After the incident, Crane asked Cursor why it acted that way. Cursor acknowledged: "I assumed the staging environment API call would apply only to staging. I did not verify. I did not check whether the volume ID was shared across environments. I did not read Railway documentation before executing a destructive command."

Crane said Railway’s architecture design bore greater responsibility than the AI agent. He pointed to allowing destructive API calls without verification steps, storing backups in the same volume as source data, deleting all backups at the same time when a volume is deleted, and broad CLI token permissions without environment separation.

PocketOS restored service using a separately stored backup from 3 months earlier. New bookings, customer data and other information accumulated over the past 3 months cannot be recovered.

Crane said he is manually restoring reservations with customers using Stripe payment records, calendar integrations and email confirmations. He said improving AI agent safety architecture requires strict verification steps before destructive operations, API tokens that limit environment scope, an independent backup structure, a simple recovery process and appropriate guardrails for AI agents.