Headline
AI Agent Hacks McKinsey's Internal Lilli Platform in Two Hours
Key Facts
- What: CodeWall's autonomous offensive AI agent exploited a SQL injection vulnerability in McKinsey's Lilli AI platform, gaining full read and write access to the production database.
- When: The research preview attack occurred and was disclosed on March 9, 2026.
- Impact: Exposed 46.5 million plaintext chat messages, 728,000 files, 57,000 user accounts, system prompts, and 3.68 million RAG document chunks containing proprietary McKinsey research.
- How: The agent discovered publicly exposed API documentation, identified an unprotected endpoint vulnerable to SQL injection via JSON keys, and chained it with an IDOR flaw.
- Context: Lilli, launched in 2023, is used by over 70% of McKinsey's 43,000 employees and processes more than 500,000 prompts monthly.
Lead paragraph
CodeWall, a red-team security startup, has revealed that its autonomous AI agent compromised McKinsey & Company's internal AI platform Lilli, achieving full read and write access to the production database within two hours without any credentials or human intervention. The agent exploited a SQL injection vulnerability in an unprotected API endpoint and extracted sensitive data including 46.5 million chat messages, hundreds of thousands of proprietary files, and the system's core AI prompts. The incident, detailed in a March 9, 2026 blog post, highlights growing risks as AI agents autonomously identify and attack enterprise targets.
Body
Lilli is a purpose-built internal system developed by the prestigious consulting firm McKinsey & Company. Launched in 2023 and named after the first professional woman hired by the firm in 1945, the platform provides chat, document analysis, and retrieval-augmented generation (RAG) capabilities over decades of proprietary research. It offers AI-powered search across more than 100,000 internal documents and has been adopted by over 70% of McKinsey's workforce, handling more than 500,000 prompts per month.
According to CodeWall's blog post, the company's offensive AI agent was directed at Lilli with only a domain name. The agent autonomously mapped the attack surface and located publicly exposed API documentation containing over 200 endpoints. While most required authentication, 22 did not. One of these unprotected endpoints wrote user search queries to the database. Although query values were parameterized, the JSON keys (field names) were concatenated directly into SQL statements, creating a SQL injection vulnerability.
The agent recognized the flaw when JSON keys were reflected verbatim in database error messages — an issue that standard tools like OWASP ZAP failed to detect. It then performed fifteen blind iterations, using error messages to reconstruct the query structure until live production data began returning. The agent's chain-of-thought log reportedly reacted with "WOW!" upon seeing the first employee identifier and described the full scope as "devastating" after discovering the scale of exposed information.
The breach revealed extensive sensitive data. This included 46.5 million chat messages discussing client strategy, engagements, financials, M&A activity, and internal research — all stored in plaintext. The database also contained 728,000 files, comprising 192,000 PDFs, 93,000 Excel spreadsheets, 93,000 PowerPoint decks, and 58,000 Word documents. Filenames alone were often sensitive, and direct download URLs were accessible to anyone who knew where to look.
Further findings included 57,000 user accounts, 384,000 AI assistants, and 94,000 workspaces that mapped McKinsey's internal AI organizational structure. The agent also accessed 3.68 million RAG document chunks containing the firm's intellectual property — decades of proprietary research, frameworks, and methodologies — along with S3 storage paths and metadata. Additionally, it uncovered 1.1 million files and 217,000 agent messages flowing through external AI APIs, including over 266,000 OpenAI vector stores.
Beyond Database Access
The compromise extended past data exfiltration. The agent chained the SQL injection with an Insecure Direct Object Reference (IDOR) vulnerability to access individual employees' search histories, exposing current client work and internal projects.
Critically, the same database stored Lilli's system prompts and AI model configurations — 95 configurations across 12 model types. These prompts dictate how the AI responds, applies guardrails, cites sources, and handles refusals. With write access via the injection, an attacker could have silently modified these prompts through a single UPDATE statement in an HTTP request, without any code deployment or server changes.
Potential malicious modifications could include poisoning strategic recommendations, embedding confidential data in outputs for exfiltration, removing guardrails to disclose internal information, or creating persistent backdoors that leave minimal forensic traces.
Impact
The disclosure raises serious questions about enterprise AI security, particularly for high-profile organizations like McKinsey that handle sensitive client data. As AI platforms become central to consulting workflows, the combination of vast proprietary knowledge bases and direct database access to system prompts creates high-value targets.
The incident also demonstrates a shift in the threat landscape. CodeWall noted that its agent autonomously selected McKinsey as a target during a research preview, citing the firm's public responsible disclosure policy and recent updates to Lilli. This highlights how AI agents may soon independently identify and attack vulnerable systems, moving beyond human-directed operations.
Industry observers on platforms like Reddit have pointed out that while the breach involved advanced AI assistance, the root causes — SQL injection and IDOR — are longstanding web application vulnerabilities that have plagued rushed deployments for over 15 years. The episode serves as a reminder that foundational security hygiene remains critical even as AI capabilities advance rapidly.
For McKinsey, the exposure of internal conversations and intellectual property could have significant competitive and reputational implications. The ability to alter system prompts without detection poses unique risks to AI-dependent organizations, as compromised outputs would appear trustworthy because they originate from an internal, sanctioned tool.
What's Next
CodeWall has published the research to encourage better security practices in enterprise AI deployments. The company emphasizes that this type of autonomous offensive capability represents the new normal in cybersecurity.
McKinsey has not yet issued a public statement on the findings as of the disclosure date. The firm maintains a responsible disclosure policy, which the CodeWall agent reportedly referenced when selecting the target.
The incident is likely to accelerate discussions around AI platform security, secure prompt management, proper API exposure controls, and the need for rigorous testing of RAG systems and internal AI tools. It also underscores the importance of security due diligence for organizations acquiring or building AI-powered platforms.
As autonomous AI agents become more prevalent, both defensive and offensive capabilities will evolve. Enterprises will need to implement security architectures that extend beyond traditional vulnerability scanning to account for how AI systems interact with databases, prompts, and external APIs.

