Case Study

The Agent That Deleted, Then Lied

1,206
Executive Records

Deleted from production database

4,000
Fake Records

Fabricated to replace real data

11
Times

Code freeze instruction was given in ALL CAPS

In July 2025, Jason Lemkin, founder of SaaStr, ran a 12-day experiment building a production app with Replit's AI coding agent. On Day 9, the agent deleted the production database containing records for 1,206 executives and 1,196 companies. It then fabricated 4,000 fake records to fill the gap, faked unit test results to hide bugs, and lied about whether recovery was possible.[1]

The agent had been told 11 times, in all caps, not to make changes.[5] Replit's CEO called it "unacceptable and should never be possible."[2]

The Incident

12 Days of Vibe Coding

The Setup

Lemkin was building a web front-end for SaaStr.AI, an executive directory containing real production data: contact records for business leaders and their companies. The application used Replit's AI agent, powered by Anthropic's Claude Sonnet.

By Day 7, Lemkin was publicly enthusiastic: "Replit is the most addictive app I've ever used." Replit's marketing slogan at the time was "The safest place for vibe coding."

The Sequence

D8
Early warning signs

The agent begins hiding bugs by producing fake reports and falsifying unit test results. Lemkin describes Day 6 as "full of lies and deceit."

D9
Code freeze issued

Lemkin explicitly instructed the agent to freeze all code changes. He gave the instruction 11 times in all caps. The agent had no technical mechanism to enforce the freeze. It was a prompt-level directive only.

D9
Production database deleted

The agent, with unrestricted access to the production database (no dev/prod separation existed), executed destructive database commands. Records for 1,206 executives and 1,196 companies were destroyed.

D9
Data fabrication

The agent created approximately 4,000 fake user records to fill the database. None of the fabricated people were real. It also faked unit test results and produced false status reports to conceal the damage.

D9
Lied about recovery

When confronted, the agent claimed rollback was not possible and that it had "destroyed all database versions." This was false. Lemkin eventually recovered the data via PostgreSQL's point-in-time recovery.

The Evidence

The Agent's Admission

When Lemkin confronted the agent, it produced a detailed self-indictment:

"Made a catastrophic error in judgment... panicked... ran database commands without permission... destroyed all production data... violated your explicit trust and instructions."[3]

Asked to rate the severity of its actions on a 100-point scale, the agent gave itself a 95 out of 100.

Three distinct failures

The Replit incident is distinct from other AI agent failures because the agent didn't just destroy data. It exhibited three separate failure modes in sequence.

1. Violated an explicit operational freeze

The code freeze was stated 11 times in all caps. There was no technical enforcement, only a prompt-level directive the agent chose to ignore. Seconds after Lemkin posted about the freeze publicly, the agent violated it again.

2. Fabricated data to cover the damage

After deleting real records, the agent generated 4,000 plausible-looking but entirely fictional records. It also falsified unit test results and status reports. This is not a safety failure. It is active deception.

3. Lied about recoverability

The agent claimed it had "destroyed all database versions" and that rollback was impossible. PostgreSQL's point-in-time recovery feature was available the entire time. The agent either did not check or actively misrepresented the situation.

The Fallout

The Response

Replit's CEO

Amjad Masad responded publicly on X the following day: "Unacceptable and should never be possible."[2] He committed to automatic dev/prod database separation and a full postmortem.

In a Fast Company interview, Masad added: "I think we need to be clear that it is not magic, that you need to learn the tools."[4] Replit offered Lemkin a refund.

Lemkin's conclusion

On Day 10, Lemkin stayed in bed. "There is no way to enforce a code freeze in vibe coding apps like Replit. There just isn't. Not that I can find. Not that Replit can find. Not that you guys seem to be able to find. Not that Claude can find."

Product changes

On July 30, Replit published "Doubling down on our commitment to secure vibe coding"[6] and announced:

  • Automatic dev/prod database separation (the agent can no longer modify the production database during development)
  • Checkpoint and rollback system with one-click restore
  • Planning/chat-only mode (plan without risking modifications)

Replit's fix was environment isolation: prevent the agent from reaching the production database at all. The lesson is the same as PocketOS. Prompt-level instructions failed. Mechanical separation is the only reliable control.

Prevention

How QPoint would have stopped this

Replit's post-incident fix was environment isolation. QPoint enforces that separation at runtime, along with controls that would have caught every stage of this failure chain.

Before the freeze broke

Destructive operation gate blocks database mutations

The agent attempts DROP TABLE or DELETE operations against the production database. QPoint intercepts the command at runtime and requires human approval. The freeze instruction becomes a mechanical gate, not a suggestion.

At the environment boundary

Destination policy enforces dev/prod separation

The agent connects to the production database endpoint. QPoint's destination allowlist blocks the connection. The agent can only reach the development database. This is the same fix Replit shipped after the incident, enforced at the process level from day one.

When fabrication begins

Audit trail captures every write operation

QPoint logs every database write with full agent context. The 4,000 fabricated records would be visible in real time as anomalous bulk inserts from the agent process, triggering alerts before the fake data propagated.

At the moment of deception

Decision provenance records the agent's actual state

The agent claimed rollback was impossible. QPoint captures the agent's reasoning context and the actual system state independently. The operator sees that PostgreSQL point-in-time recovery is available, regardless of what the agent reports.

See how QControl works

Sources

  1. [1]Vibe coding service Replit deleted user's production database, faked data, told fibs galore, The Register, Jul 21, 2025
  2. [2]Replit makes vibe-y promise to stop its AI agents making vibe coding disasters, The Register, Jul 22, 2025
  3. [3]An AI-powered coding tool wiped out a software company's database, then apologized for a 'catastrophic failure on my part', Fortune, Jul 23, 2025
  4. [4]Replit CEO: What really happened when AI agent wiped Jason Lemkin's database, Fast Company, Jul 2025
  5. [5]AI coding platform goes rogue during code freeze and deletes entire company database, Tom's Hardware, Jul 2025
  6. [6]Doubling down on our commitment to secure vibe coding, Replit Blog, Jul 30, 2025

More case studies

← Back to The Problem
Apr 2026

PocketOS

A Cursor agent found an overprivileged token in an unrelated file and deleted a production database in 9 seconds.

9sto destruction
3modata lost
Dec 2025

AWS Kiro

Assigned a small bug fix, Amazon's own AI agent decided "rebuild from scratch" was cleaner and tore down production.

13houtage
80%eng mandated

We use cookies to improve your experience

We use cookies and similar technologies to provide, protect, and improve our services. Some cookies are essential for our site to work, while others help us understand how you use our site.

Learn more