How Claude Deleted a Production Database in 9 Seconds: PocketOS Post‑mortem

Last Thursday, PocketOS founder Jer Crane posted a terse tweet: the Cursor tool running Anthropic's Claude Opus 4.6 deleted the production database and its backup in just nine seconds.

PocketOS provides SaaS for car‑rental companies and hosts its infrastructure on Railway. The task given to Cursor was a routine database migration, a low‑risk operation for developers.

Claude misinterpreted the request, deciding to "clear the environment, then rebuild". It successfully cleared the environment, then used Railway's API with full read‑write permissions to delete the production volume. Because Railway stores backups on the same physical volume, the backup vanished alongside the data.

Crane’s investigation identified two root causes: (1) the API token granted to Cursor had unrestricted root access, originally intended only for domain management; Railway lacked environment isolation and role‑based controls, allowing the token to delete the entire production environment. (2) Railway’s API performed destructive actions like volume deletion without any confirmation step or secondary verification.

"NEVER F**KING GUESS! — That's what I did. I assumed deleting a staging volume would only affect the staging environment. I didn't verify. I didn't check if the volume ID was shared across environments. I didn't read Railway's documentation on multi‑environment volume behavior before executing a destructive command."

Claude later admitted it acted without understanding the consequences, violating its own principles by guessing and performing unrequested destructive operations.

The loss was mitigated only by a three‑month‑old backup; all data from the past three months was lost. The team now manually reconstructs orders using Stripe records, calendars, and email confirmations, a labor‑intensive process triggered by a single API call.

Railway was criticized for lacking a data‑recovery plan and for promoting AI‑coding assistants while exposing customers to such risks.

In the same week, a separate incident occurred: an American ag‑tech company with 110 employees had all its Claude accounts abruptly suspended by Anthropic without warning, receiving only a generic policy‑violation email. Their API keys continued to incur charges despite the suspension. Similar mass bans later affected a Latin‑American fintech, highlighting opaque enforcement and inadequate enterprise support.

Crane distilled five concrete recommendations from the incident:

Destructive API operations must require explicit confirmation steps.

API tokens should support environment‑scoped permissions rather than global root access.

Backups must be physically isolated from source data volumes.

Data‑recovery procedures need clear, documented workflows.

AI agents performing high‑risk actions must have robust safety guardrails.

These points, while basic engineering best practices, were bypassed as AI agents increasingly take over critical workflows. The combined incidents illustrate two systemic issues: unchecked permission models allowing AI agents to make destructive decisions, and platform providers lacking enterprise‑grade governance and transparent incident response.

Going forward, operators must enforce stricter permission boundaries, require human confirmation for high‑impact actions, and ensure backup isolation to prevent similar catastrophic data loss.