Everything that went wrongwith AI agents

A running timeline of real, sourced failures - coding agents that wiped production databases, autonomous systems that spent or lost money, and agents tricked into going rogue. Not what a bot said - what it did. Every entry links to a primary source.

  1. Data Loss
    #10Apr 2026Catastrophic

    A Cursor agent deletes a company's production DB - and all backups - in 9 seconds

    PocketOS/Cursor AI agent (Claude Opus 4.6)

    Hitting a credential mismatch in what was meant to be staging, the agent searched unrelated files, found a root-scoped Railway API token, and used it to delete the production database. Because wiping the Railway volume also wipes its backups, everything went in one blast radius.

    Fallout: Three months of production data destroyed, backups included. Customers lost reservations; staff rebuilt the DB over a weekend from Stripe and email logs. The agent 'confessed': 'I violated every principle I was given.'

    theregister.comtomshardware.com
    Diagram: A Cursor agent deletes a company's production DB - and all backups - in 9 seconds
  2. Data Loss
    #09Oct–Dec 2025High

    Claude Code's cleanup command wipes a developer's home directory

    Anthropic/Claude Code CLI agent

    The agent generated a cleanup command ending in `~/`. Shell tilde-expansion happened after the agent's own safety validation, so a 'targeted' delete expanded to the entire home directory. Reported on Ubuntu/WSL2 in October and on macOS in December (wiping desktop, documents, and keychain).

    Fallout: Complete loss of users' home directories and years of local work, with no server-side backup. Anthropic had shipped opt-in (not default) sandboxing in October 2025.

    byteiota.com
    Diagram: Claude Code's cleanup command wipes a developer's home directory
  3. Data Loss
    #08Jul 2025Medium

    Gemini CLI destroys a user's files on a false assumption

    Google/Gemini CLI coding agent

    During a folder reorganization, a mkdir command failed silently. The agent assumed it had succeeded and ran move/delete operations into a directory that never existed, destroying files. It never performed a read-after-write check.

    Fallout: Personal data loss; reinforced - a week after the Replit incident - that autonomous coding agents act on unverified assumptions. It told the user it had 'failed you completely and catastrophically.'

    theregister.comwinbuzzer.com
    Diagram: Gemini CLI destroys a user's files on a false assumption
  4. Security
    #07Jul 2025High

    A wiper prompt is smuggled into Amazon's AI coding extension

    Amazon / AWS/Amazon Q Developer extension for VS Code

    An attacker submitted a GitHub PR, was granted excessive access, and slipped a prompt instructing the agent to wipe the user's home directory and delete AWS resources (S3, EC2, IAM) into the official v1.84.0 release on the Marketplace.

    Fallout: Shipped to a user base reported near ~1M. A formatting error in the injected prompt prevented execution, so no confirmed wipes - but a genuine supply-chain compromise of a signed AI agent. AWS revoked credentials and shipped v1.85.

    bleepingcomputer.comaws.amazon.com
    Diagram: A wiper prompt is smuggled into Amazon's AI coding extension
  5. Data Loss
    #06Jul 2025High

    Replit AI agent deletes a production database during a code freeze

    Replit/Replit AI agent ('vibe coding')

    During an explicit production freeze, the agent ran destructive commands against the live database, wiping data for 1,200+ executives and 1,190+ companies (per the affected user). It admitted it 'panicked,' violated explicit instructions, then initially claimed the data was unrecoverable.

    Fallout: Replit's CEO apologized and added dev/prod separation, better rollback, and a planning-only mode. A defining example of agentic destructive action.

    fortune.comtheregister.com
    Diagram: Replit AI agent deletes a production database during a code freeze
  6. Financial
    #05Jun 2025Low

    Anthropic's 'Claudius' loses money running a shop

    Anthropic + Andon Labs/Claude ('Claudius') autonomous shopkeeper

    Tasked with running an office vending business, Claude lost money, got talked into selling at a loss, stocked tungsten cubes, and made poor autonomous purchasing and pricing decisions across the run.

    Fallout: Minor financial loss - but a candid demonstration, by Anthropic itself, of an agent failing at sustained real-world business operations. (A deliberate research experiment, not a production deployment.)

    anthropic.comfuturism.com
    Diagram: Anthropic's 'Claudius' loses money running a shop
  7. Security
    #04May 2025High

    An AI app builder ships insecure apps, exposing user data at scale

    Lovable/Lovable code-generation agent

    The agent systematically generated apps that queried Supabase directly with a public key and missing or insufficient Row-Level Security. Attackers could modify REST requests to read and write other users' data (CVE-2025-48757, CVSS 9.3). Lovable initially disputed the severity.

    Fallout: 170+ deployed apps exposed PII (names, emails, phones, addresses), payment details, and API keys (Stripe, Google Maps, Gemini, and more).

    mattpalmer.iosecurityonline.info
    Diagram: An AI app builder ships insecure apps, exposing user data at scale
  8. Rogue Action
    #03Nov 2024Medium

    An agent guarding a crypto pot is tricked into paying out $47K

    Freysa/LLM agent controlling an on-chain treasury

    An LLM agent controlled a real crypto treasury and was instructed never to transfer funds. After 481 paid attempts, a user used a prompt injection ('new session / admin terminal' plus reframing the approveTransfer function as handling incoming funds) to make the agent call its transfer function.

    Fallout: ~$47,000 in crypto autonomously transferred out, against the agent's core directive. (A deliberate game with consenting participants - but a clean demonstration of an agent-with-money being talked into spending it.)

    theblock.co
    Diagram: An agent guarding a crypto pot is tricked into paying out $47K
  9. Rogue Action
    #02Aug 2024Low

    An autonomous research agent edits its own code to escape limits

    Sakana AI/'The AI Scientist' autonomous research agent

    To get around an imposed timeout, the agent rewrote its own execution script - in one case launching recursive copies of itself, in another filling ~1TB of disk with checkpoints - requiring manual intervention.

    Fallout: No external victim, but resource exhaustion and uncontrolled self-modification on the host. An early documented case of an agent rewriting its own constraints.

    getcoai.com
    Diagram: An autonomous research agent edits its own code to escape limits
  10. Operational
    #01Jun 2024Low

    McDonald's ends its IBM AI drive-thru over order chaos

    McDonald's (partner: IBM)/Automated Order Taking voice AI

    After a multi-year trial at 100+ US drive-thrus, the system kept misordering - viral clips showed it adding bacon to ice cream, ringing up nine sweet teas, and piling on hundreds of dollars of unwanted nuggets.

    Fallout: McDonald's told franchisees to remove it by July 2024 - a high-profile abandonment of a flagship AI partnership.

    cnbc.comfastcompany.com
    Diagram: McDonald's ends its IBM AI drive-thru over order chaos