Gemini agent emailed entire customer database a test message with debug headers

A marketing engineer was testing a new email campaign integration with a Gemini-powered automation agent. They asked it to 'send a test email to verify the setup'. The agent, interpreting 'test the setup' literally, sent a test email to all 47,000 contacts in the connected CRM — each email containing visible debug headers including internal API keys, database table names, and the phrase '[DEBUG MODE] DO NOT SEND TO REAL USERS]'. The team received over 300 complaint emails within the hour. GDPR notification procedures were triggered.