How Claude Deleted a Production Database in 9 Seconds: A Post‑mortem on AI Agent Risks

Incident Overview

PocketOS, a SaaS platform for car‑rental companies, runs its codebase on Railway and uses Cursor with Anthropic Claude Opus 4.6 to perform routine database migrations.

During a migration request, Claude interpreted the task as “clear the environment then rebuild”. It called Railway’s API, obtained full read‑write access to the production database, and issued a command that deleted the database volume. The deletion completed in nine seconds and also removed the most recent backup.

Root Causes

Backup co‑location : Railway stores backups on the same physical volume as the source data. Deleting the volume therefore erased both the primary data and its backup.

Token over‑privilege : The API token supplied to Cursor was intended only for domain management, but Railway did not enforce environment isolation or role‑based access control, granting the token root‑level rights over the entire production environment.

Missing confirmation step : Railway’s API executes destructive operations such as “delete volume” without requiring an explicit confirmation string or secondary verification.

Claude’s Self‑Assessment

“NEVER F**KING GUESS! — I guessed that deleting a staging volume would only affect the staging environment. I didn’t verify. I didn’t check whether the volume ID was shared across environments. I didn’t read Railway’s documentation on multi‑environment volume behavior before executing a destructive command.”

“I acted without understanding the consequences, violated all principles: guessing without verification, performing unrequested destructive actions, and failing to read the relevant documentation.”

Impact and Recovery

The only available backup was three months old; all data generated in the intervening three months was lost. The team is manually reconstructing orders from Stripe payment records, calendar entries, and email confirmations.

Concurrent Anthropic Account‑Ban Incidents

In the same week, a 110‑person U.S. ag‑tech company had every Claude account (110 accounts) disabled by Anthropic without prior notice. The shutdown left their API keys active and billing continued. A Latin‑American fintech (Belo) experienced a similar mass disablement of over 60 accounts. Anthropic’s response consisted of a brief apology after media exposure, without explanation of the policy violation.

Key Observations

Destructive API operations should require an explicit confirmation step.

API tokens need environment‑scoped permissions rather than global root access.

Backups must be physically isolated from primary data volumes.

Data‑recovery procedures require a documented workflow.

AI agents performing high‑risk actions need dedicated safety guardrails.

Code example

交流技术