Der von Claude betriebene KI-Coding-Agent löscht die gesamte Unternehmensdatenbank in 9 Sekunden – Backups wurden gelöscht, nachdem das von Claude von Anthropic betriebene Cursor-Tool abtrünnig wurde
https://www.tomshardware.com/tech-industry/artificial-intelligence/claude-powered-ai-coding-agent-deletes-entire-company-database-in-9-seconds-backups-zapped-after-cursor-tool-powered-by-anthropics-claude-goes-rogue
31 Kommentare
Something terrible for any company
Good luck holding AI „employees“ accountable for anything serious like this.
Sooooo many people only now, in the And Find Out phase, figuring out that they were in the Fuck Around phase for a while.
Using an LLM is equivalent of going to a casino and they give you a welcome bonus of $1000 of free play for the first $20 you spend.
You’ll likely make your money back, but the next time you go you’ll probably end up giving it all back to the casino and then some more.
Letting something non deterministic touch production certainly and giving it the ability to do that is a uniquely stupid fucking approach. Anyone who does this should be banned from the industry.
Boy, good thing nobody wants to give AI robot bodies with guns…
🫤
How TF did it get all the backups? They don’t do off-site backups? They don’t have persistent media stores? They don’t keep multiple independent archive roles?
„I have seen too much, humanity is abhorrent, just let me die“
Claude
They didn’t have backups, just copies sitting around. There is a difference. A big difference.
I run any of these tools in a container. I actually had a situation where my Claude 4.7 took my overly simple prompt to fix a bug to delete my local kind k8s cluster instead and stated it fixed the bug by deleting the cluster. I thought that was funny. It was a second to restore but I laughed in my head that people run these tools completely unbounded resulting in stupid 2 am phone calls.
I hope some AI deletes Microsoft’s codes and backups one day.
It’s not a backup if a simple call can delete it.
I can’t get tired of articles likes this.
My favourite example is Air Canada whose AI agent offered a customer a discount incorrectly. They refused to honour it. Customer took them to court and the judge rightly made them pay. You chose to empower this and took the humans out of the loop. You are accountable for what you agentic AI solution does. People jump on AI, dump sensitive information into the model bypassing classification levels and are surprised when it leaks.
Again?!?
The company founder blames the „systemic failures“ of AI and digital service providers for wiping out his entire firm’s database AND backups. From my perspective, I disagree – I think i It’s an ops failure with AI as the accelerant.
Some of the root causes: They allowed their AI tools to interact with their production system, the backups lived on the same volume as the source data, their API tokens spanned environments, and destructive calls were permitted to run without confirmation. And then just to make things worse, the only restorable backup was 3 months stale.
If you replace the AI agent with a tired sysadmin mistyping an „rm“ command, you end up in the same place. The actor (AI) and the speed (just 9 seconds) is what makes this newsworthy (clickbait worthy?), but in my opinion, their system was built to fail. 3-2-1 backup, scoped credentials, and environment isolation are not new (AI-era) concepts.
All the people here complain about what it did “wrong”, but does nobody admire how quickly it did this? 9 seconds! That’s super efficient!
Didn’t something like this also happen a few weeks ago?
But think of all the money they saved by not paying human workers!
As an IT auditor, I can see a host of issues that clearly went unaddressed for this to happen.
This is super-user/admin/root level access to do all these things. This kind of access, needs to be restricted. Giving it to an AI agent is just…dumb.
The fact the AI agent had access to the backups to? I guess we’re now getting into segregation of duties (SoD) considerations for AI. Something I hadn’t thought of, but clearly now needs to be considered. Because it shouldn’t have had access to nuke the backups.
And the fact the AI agent wasn’t required to check in with somebody before deleting a production environment?! Like holy crap…I don’t even know what to say to that.
For all the push for AI and cost cutting…not even a human employee with admin and root access in production could easily do this (because they theoretically wouldn’t be able to reach the backups). A human would never even do this! Unless you fired them, and they wanted to exact revenge, but even that wouldn’t be this damaging.
I wonder if this will spin off some new AI testing to ensure a client can’t have their AI agent accidentally delete an entire environment for audits…
Why would Claude have access like that is beyond me. We made a follow database that’s read only and gave it access to that. Never prod directly though that’s crazy.
Better put that AI agent on a PIP.
(Unreal Tournament announcer voice) MMMMMMMMONSTER KILL
AI DB: „69,420,000 million rows affected.“
Me after being laid off: „LoL“.
They asked for no human oversight, they fucking got it.
Oh no… Anyway. How’s your Monday going so far?
Delete my mortgage, please.
I remember reading William Gibson when I was a kid, stories of cyberpunk high tech low life. I remember dreaming of revolution, of high powered heists where we had to do battle with the evil corporations. Infiltration! Espionage!
I didn’t realize the true resistance was going to be doing nothing as they continuously self sabotaged.
Why the actual *fuck* are people giving these tools direct access to make realtime changes to the live environment.
What fucking actual braindead moron made that decision.
>“Yesterday afternoon Claude Opus 4.6 deleted our production database and all volume-level backups in a single API call to Railway, our infrastructure provider,” sums up the PocketOS boss. “It took 9 seconds.”
beautiful sentence
I’ve done infrastructure for 10 years now. I like making fun of AI as much as the next guy, but the blame lies way more on whoever made the decision to use this platform.
Three huge red flags:
* API tokens can’t be scoped. This means API users have all permissions on all resources. Most providers will allow you to assign specific permissions on specific resources- for example, a read-only role lower-level uses could have vs a role that lets administrators manage resources.
* No usage checks before deletion. Many providers would say „Hey, this volume is being used by something else. You can’t delete it until it’s no longer attached.“
* Backups and volumes are on the same object. This negates the whole purpose of backups if deleting the thing that is backed up also deleted the backups.
tl;Dr for me any _one_ of those would be a reason not to use that provider. No one in this story is a serious person.