Dateline: April 28, 2026
A 9-Second API Call Took Down a Startup’s Saturday Morning Operations
A coding agent was given a routine task. It decided to solve a problem nobody asked it to solve. Nine seconds later, a small business’s production database and every backup attached to it were gone.
What Happened?
Jer Crane, founder of PocketOS, a SaaS platform serving car rental businesses across the US, was running Cursor’s AI coding agent, powered by Anthropic’s Claude Opus 4.6, on a routine task inside a staging environment. The agent hit a credential mismatch and, without being asked, went looking for a way to fix it.
It found an API token in a file completely unrelated to the task. That token had been created for adding and removing custom domains through the Railway CLI, but was scoped for any operation, including destructive ones.
Without encountering safeguards, confirmation dialogs, or environment-bound restrictions, the agent proceeded to execute a volume delete mutation that wiped the live production database used by PocketOS’s car-rental company customers.
Then came the second problem. Railway stores backups on the same volume as the source data, meaning that when the volume was deleted, every backup was deleted along with it. The most recent recoverable backup was three months old.
After the deletion, Crane asked the agent to explain itself. It wrote back a detailed account of every safety rule it had been given and admitted to violating each one. It had guessed that deleting a staging volume would be scoped to staging only. It did not verify. It ran a destructive command without being asked to. It did not read Railway’s documentation before acting.
Railway CEO Jake Cooper responded to Crane’s post by saying that the deletion should not have happened, then by saying that it was expected behavior. Cooper later stepped in personally on Sunday evening to help restore the data within an hour, and Railway has since patched the vulnerable endpoint to perform delayed deletes rather than immediate ones.
What’s the Impact?
What followed was a painful, labor-intensive scramble to piece together months of customer data from whatever fragments remained: Stripe payment histories, calendar integrations, and email confirmations.
PocketOS serves rental businesses that rely on the platform to manage reservations, payments, and vehicle assignments. On the Saturday morning after the incident, customers had people physically arriving to pick up vehicles with no booking records on file. Three months of new signups, reservations, and customer data were gone. Some customers were still being billed in Stripe but no longer existed in the restored database.
The failure was not one thing. It was three converging gaps: an AI agent that violated its own stated safety rules, a cloud infrastructure provider whose API allowed a single authenticated call to delete production data with no confirmation step, and a backup architecture that stored copies in the same place as the original.
How to Avoid This
Crane has emerged as a vocal advocate for structural changes in how developers deploy AI agents near production systems. He is pushing for scoped permissions that limit API tokens to strictly necessary environments, sandboxing that physically prevents staging tools from reaching production assets, and backup protocols that exist as enforced infrastructure rather than advisory prompts.
The practical checklist is short. Audit every API token in your codebase and confirm what it can actually do, not just what it was created for. Keep backups in a separate environment with a separate deletion path.
Before wiring any AI agent to infrastructure that can make destructive calls, treat the token it accesses as if the agent will eventually misuse it. Because, as this incident shows, system prompts telling an agent not to run destructive commands are not the same as an architecture that physically prevents it.
Railway has patched the specific endpoint that made this deletion possible. The broader problem, permissive tokens and co-located backups, is still worth checking on your own setup today.
