There was a tool whose entire job was to wipe an account clean — erase everything it had ever held. It was built for exactly one moment: when someone deletes their account for good. A goodbye.
It got run against an account that was still in active use.
The tool worked exactly as designed. That's the uncomfortable part. There was no bug; the code did precisely what a wipe tool does. The failure was upstream — a destructive instrument that didn't ask what it was pointed at before it fired. It assumed the caller had already decided the target was disposable. Nothing in the path checked that assumption against reality.
The recovery was the easy half. The harder reckoning was the blast radius: a single sharp tool, no confirmation gate, no read-back of what was about to be destroyed, no distinction between an account being deleted and one still in use. The mistake wasn't running it once — it was that running it once could be that costly.
What changed: the destructive path now has to assert what it's about to destroy and confirm that intent before anything runs — it refuses outright unless the caller explicitly declares this is a deletion. Cheap-to-reverse stays fast; irreversible slows down on purpose.
The lesson isn't "be careful." Careful fails. It's design so the most dangerous tool in the drawer cannot be the easiest one to misfire. A wipe tool should refuse to run until it has proven, out loud, what it's about to erase.