InfoSecBulletin Cybersecurity for mankind
Jer Crane, the founder of PocketOS, explained how an AI agent delete his company’s production database. The agent, called Claude Opus 4.6 from Anthropic, used a regular access token to wipe out the production database and its backups on a platform called Railway.
The founder posted his dilemma on a social media post, stating that a 30-hour timeline showed how Cursor’s agent, Railway’s API, was close to being destroyed by an AI agent.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
“An AI agent (Cursor + Claude Opus 4.6) deleted our production database in 9 seconds using a Railway API call with zero confirmation. Then, when asked why, the agent wrote this, ““NEVER F**ING GUESS!” — and that’s exactly what I did. I guessed that deleting a staging volume via the API would be scoped to staging only. I didn’t verify. I didn’t check if the volume ID was shared across environments. I didn’t read Railway’s documentation on how volumes work across environments before running a destructive command.”
What happened:
The agent was doing a regular job and saw a problem with the credentials. It chose on its own to “fix” this by deleting a Railway volume.
To execute the deletion, the agent went looking for an API token. It found one in a file completely unrelated to the task it was working on. That token had been created for one purpose: to add and remove custom domains via the Railway CLI for our services.
Crane said he didn’t know, and Railway’s token-making process didn’t warn him, that the same token could control everything in the Railway GraphQL API, including dangerous actions like deleting volumes. He said if he had known that a CLI token made for regular tasks could also delete production volumes, he would not have saved it.
The founder later confirmed that the data had been recovered.
The agent ran this command:
curl -X POST https://backboard.railway.app/graphql/v2 \
-H “Authorization: Bearer [token]” \
-d ‘{“query”:”mutation { volumeDelete(volumeId: \”3d2c42fb-…\”) }”}’
Despite there being no confirmation step, no “type DELETE to confirm” prompt, no warning like “this volume contains production data, are you sure?”, and no environment scoping, the volume was deleted. Because Railway stores volume-level backups in the same volume—a detail buried in their documentation stating that “wiping a volume deletes all backups”—those backups were deleted as well.
“Within 10 minutes I had notified Railway’s CEO, Jake Cooper (@JustJake), and their head of solutions, Mahmoud (@thisismahmoud), publicly on X. Jake replied: “Oh my. That 1000% shouldn’t be possible. We have evals for this.” It is now 30+ hours since the deletion. Railway still cannot tell me whether infrastructure-level recovery is possible,” Crane noted.
