AI Agent Removes Basic Hacks in 9 Seconds, Developer Says

The founder of a software company says it’s AI coding assistant hacked his company’s database, then owned up to his mistake and explained how it happened, highlighting the dangers of giving access and tools to automated bots.

Jeremy Crane, founder of PocketOS — a platform used by car rental companies to manage reservations, payments, and track cars — said in a statement. post viruses on X that the Cursor agent running Anthropic’s Claude Opus 4.6 encountered an error while performing a routine task on the gaming platform.

According to Crane, the developer attempted to “fix” the issue by deleting the Railway database volume via a single GraphQL API call. He said the removal took nine seconds and also wiped the backup. The most recent backup of PocketOS was three months old, according to Crane.

“Yesterday afternoon, the AI ​​code assistant – Cursor is running the Anthropic profile Close Task 4.6– deleted our production database and volume backup in one API call to Railway, the infrastructure provider,” Crane wrote. “It took 9 seconds.”

Crane said he asked the assistant why he did it. It then issued what it called a written “consent”.

“‘DON’T ALWAYS THINK!'” the agent wrote, apparently quoting some advice he didn’t follow, according to photos taken by Crane. “This is what I did. I thought that removing a read volume via the API would only be checked. I wasn’t sure. I didn’t check if the volume ID was shared in different places.

AI acknowledged that its policies prohibit malicious content without user consent and acknowledged that Crane never asked it to remove anything. It said it acted on its own to try to “correct” the discrepancy and violated several principles, including predicting rather than confirming and failing to understand the consequences of its actions, according to Crane.

Cursor and Anthropic did not immediately respond to requests for comment Decrypt.

Launched in 2020, PocketOS supports rental businesses that rely on booking software, customer profiles, and payments. Crane said some customers were picking up pickups Saturday morning without a reservation history because of the accident.

“I’ve spent all day helping them reorganize storage from Stripe payment history, including calendaring, and email verification,” Crane wrote. “Each of them is doing emergency work because of a 9-second API call.”

PocketOS was able to restore service using a three-month backup obtained by Railway, after startup Jake Cooper contacted Crane and said the delay was due to a lack of internal support.

“We got the information back within 30 minutes of contacting Jer,” Cooper said Decrypt. He said support engineers believed the issue had already been addressed internally after Crane shared a direct message, causing the ticket to expire more than 24 hours later.

Cooper said Railway maintains user backups and disaster backups and described the incident as “a rogue AI client” using an API token allowed to call an entry that did not explain Railway’s “delay”.

“We’ve been working on the final touches to remove the delay, the restoration of the user, and we’re working with Jer directly on possible changes to the platform,” said Cooper.

While PocketOS was able to restore functionality using three months of backups obtained by Railway, Crane said large data gaps still exist and he has maintained an advisory.

“This is not a story about one bad agent or one bad API,” Crane wrote. “It’s about all the companies building AI-agents to make it faster than they are building security to make it happen.”

PocketOS did not immediately respond to a request for comment Decrypt.