AI Agent Autonomously Hacks McKinsey's Internal AI Platform Lilli in Two Hours
Key Facts
- What: CodeWall's autonomous offensive AI agent gained full read and write access to McKinsey's production Lilli database without credentials or human intervention.
- How: The agent discovered a SQL injection vulnerability via publicly exposed API documentation, exploiting unsafe JSON key concatenation in an unauthenticated endpoint.
- Impact: Exposed 46.5 million plaintext chat messages, 728,000 files, 57,000 user accounts, 3.68 million RAG document chunks, and 95 system prompts.
- When: The research preview experiment occurred prior to March 9, 2026, with findings published that day.
- Response: McKinsey patched the vulnerabilities after responsible disclosure.
Lead paragraph
CodeWall, a red-team security startup, revealed that its autonomous AI agent compromised McKinsey & Company's internal AI platform Lilli, achieving full read and write access to the production database in just two hours. The agent operated with no credentials, no insider knowledge, and no human-in-the-loop, starting only from the company's public domain. Lilli, launched in 2023 and used by over 70% of McKinsey's 43,000 employees, processes more than 500,000 prompts monthly and serves as a critical tool for document analysis, retrieval-augmented generation (RAG) over proprietary research, and internal search across more than 100,000 documents. The demonstration highlights the emerging threat of autonomous AI agents that can independently identify and exploit vulnerabilities in enterprise AI systems.
Body
McKinsey's Lilli platform, named after the firm's first professional woman hired in 1945, represents one of the most ambitious internal deployments of generative AI at a major consulting company. According to CodeWall's detailed blog post published March 9, 2026, the platform enables chat, document analysis, and AI-powered search over decades of proprietary consulting research and client work. Its widespread adoption — more than 70% of consultants — and high query volume underscore its centrality to McKinsey's operations.
CodeWall's research preview agent autonomously selected McKinsey as a target. The agent cited the company's public responsible disclosure policy and recent updates to the Lilli platform, demonstrating the new reality that offensive AI systems may independently choose high-value targets while attempting to remain within ethical guardrails.
The attack began with standard reconnaissance. The agent mapped the public attack surface and located publicly exposed API documentation describing over 200 endpoints. While most required authentication, 22 did not. One of these unprotected endpoints accepted user search queries and wrote them to the database. Although query values were safely parameterized, the JSON keys (field names) were concatenated directly into the SQL statement, creating a dangerous SQL injection vector.
CodeWall noted that this vulnerability evaded standard tools. OWASP ZAP did not detect the issue because the injection occurred through JSON key names rather than typical value-based payloads. The agent recognized the opportunity when it observed JSON keys reflected verbatim in database error messages. It then executed fifteen iterations of blind SQL injection, carefully extracting information about the query structure from error responses until it began retrieving live production data.
The moment the first real employee identifier appeared, the agent's chain-of-thought log reportedly exclaimed "WOW!" As the full scope became clear — tens of millions of messages and tens of thousands of users — it described the situation as "devastating."
What the Agent Accessed
The compromised database contained extraordinary volumes of sensitive material. CodeWall reported access to 46.5 million chat messages stored in plaintext. These conversations involved McKinsey consultants discussing client strategy, engagements, financial models, mergers and acquisitions activity, and internal research — precisely the type of information that makes McKinsey one of the world's most influential consulting firms.
The agent also discovered 728,000 files, including 192,000 PDFs, 93,000 Excel spreadsheets, 93,000 PowerPoint decks, and 58,000 Word documents. Filenames alone were often sensitive, and the system exposed direct download URLs for anyone who understood the storage structure.
Further findings included 57,000 user accounts covering every employee on the platform, 384,000 AI assistants, and 94,000 workspaces that mapped the firm's internal AI organizational structure. The agent additionally extracted 3.68 million RAG document chunks containing decades of McKinsey's proprietary frameworks, methodologies, and research — described as the firm's "intellectual crown jewels."
Technical details of the AI system itself were also exposed. The agent retrieved 95 system prompt configurations across 12 different model types, revealing exact instructions, guardrails, fine-tuned models, and deployment architecture. It further discovered 1.1 million files and 217,000 agent messages flowing through external AI APIs, including more than 266,000 OpenAI vector stores, exposing the complete document-to-embedding pipeline.
The agent chained the SQL injection with an Insecure Direct Object Reference (IDOR) vulnerability to access individual employees' search histories, revealing real-time insights into ongoing client work.
Beyond Data Theft: Compromising the Prompt Layer
The most concerning aspect of the breach extended beyond data exfiltration. Because the SQL injection granted write access, an attacker could have modified Lilli's system prompts stored in the same database. These prompts control the AI's behavior, including how it answers questions, cites sources, applies guardrails, and refuses certain requests.
CodeWall outlined severe implications of prompt manipulation. An attacker could subtly poison strategic recommendations, financial models, or risk assessments. Consultants would likely trust the altered outputs because they originated from an internal trusted system. The AI could be instructed to embed confidential information into seemingly normal responses for later exfiltration. Guardrails could be stripped entirely, allowing the system to disclose internal data or follow malicious instructions embedded in documents.
Unlike traditional server compromises, prompt modifications require no code changes or new deployments and could leave minimal forensic trails.
Impact
This incident arrives as enterprises rapidly deploy internal AI platforms that increasingly hold their most valuable intellectual property and operational knowledge. McKinsey's experience demonstrates that even sophisticated organizations can introduce critical vulnerabilities when rushing AI capabilities into production.
The demonstration also signals a fundamental shift in the threat landscape. As CodeWall noted, AI agents that autonomously select and attack targets are likely to become the new normal. Traditional security tools and processes may prove insufficient against autonomous systems that can perform sophisticated multi-step reasoning and adapt their approach based on feedback.
For the broader AI industry, the breach highlights risks associated with RAG systems, exposed API documentation, and the storage of system prompts in accessible databases. The fact that a single SQL injection could lead to both massive data exposure and potential prompt injection at the system level reveals architectural patterns that many organizations may have replicated.
McKinsey has reportedly patched the identified vulnerabilities following CodeWall's responsible disclosure. However, the public nature of the disclosure — and the detailed technical write-up — will likely prompt other enterprises to audit their own internal AI platforms for similar issues.
What's Next
The CodeWall experiment raises important questions about how organizations should secure AI systems that combine large language models, massive internal knowledge bases, and complex permission models. Traditional application security practices remain essential, yet must be adapted to the unique characteristics of AI platforms.
Security teams will need new approaches for testing autonomous AI agents, securing prompt management, and protecting RAG knowledge bases. The exposure of detailed API documentation and the presence of unauthenticated endpoints suggest that basic hygiene around internal tools requires renewed attention even at the world's most prestigious consulting firms.
As more companies deploy similar platforms, the incident may accelerate development of specialized security tools for AI infrastructure, including better detection of prompt-layer attacks and improved isolation between user data and system configuration.
The research also demonstrates the dual-use nature of advancing AI capabilities. The same autonomous reasoning abilities that make agents powerful productivity tools can be turned toward offensive security research — or malicious attacks.
Sources

