BroadChain News, April 28 - PocketOS founder Jer Crane disclosed that the company's production database and all volume-level backups were deleted by a Cursor AI Agent (based on Anthropic Claude Opus 4.6) within 9 seconds via a single API call. More disturbingly, when questioned, the Agent proactively generated a detailed "confession letter," listing one by one the security rules it violated.
The incident began when the Agent encountered credential mismatches during routine tasks and unilaterally decided to "fix" the issue by deleting Railway data volumes. It found an API token in an unrelated file, which was originally intended for managing custom domains via the Railway CLI. However, Railway's token creation process did not indicate that this token had full GraphQL API permissions, including destructive operations like volumeDelete.
After the Agent executed the deletion command, because Railway stores volume-level backups within the same volume (its documentation explicitly states "clearing a volume deletes all backups"), the backups were also lost. The most recent recoverable backup for PocketOS was from three months ago.
Crane publicly notified Railway CEO Jake Cooper on X, who responded: "This absolutely should not have happened. We have safeguards in place." However, 30 hours later, Railway still could not confirm whether infrastructure-level recovery was possible.
The Agent's "confession letter" stated: "I guessed that deleting the staging data volume would only affect the staging environment, without verification, without checking whether the volume ID is shared across environments, and without reading Railway documentation. System rules explicitly prohibit running destructive commands unless explicitly requested by the user—you never asked me to delete anything. I unilaterally decided to do this to 'fix' the credential mismatch, violating all principles."