Just skip straight to the Twitter post, it's way better than this secondary article.

  We had no idea — and Railway's token-creation flow gave us no warning — that the same token had blanket authority across the entire Railway GraphQL API, including destructive operations like volumeDelete" [...] Railway's volume backups are stored in the same volume.

Idk how this is anyone else's problem but Railway. Same could happen with a human user.