AI agent hacks McKinsey employee chatbot
Embedded Files
Occurred: February 2026
Page published: March 2026
A security research firm's autonomous AI agent exploited basic security flaws to breach McKinsey's internal AI platform, exposing tens of millions of confidential client and employee records and demonstrating that AI-powered cyberattacks can now operate at high speed without human involvement.
What happened
What happened
An autonomous AI agent deployed by cybersecurity firm CodeWall to test the defenses of major corporations with public disclosure policie identified McKinsey & Company as a target and, within two hours, discovered 22 unauthenticated API endpoints.
By exploiting a classic SQL injection vulnerability, the agent bypassed McKinsey security to gain total access to Lilli’s production database, accessing 46.5 million chat messages about strategy, mergers and acquisitions, and client engagements along with 728,000 files containing confidential client data and 57,000 user accounts.
It also uncovered 95 system prompts controlling the AI's behaviour, which act as the "brain" of the AI, providing the potential to silently rewrite the chatbot's rules for all 43,000+ employees, as well as 3.68 million RAG document chunks (the entire knowledge base feeding the AI) representing decades of proprietary McKinsey research, frameworks, and methodologies.
Because the agent had "write" access, it could have changed Lilli’s instructions to give consultants subtly incorrect advice or leak data silently, which would be nearly impossible for users to detect.
Why it happened
Why it happened
The root cause was a combination of basic security oversight and the increased speed of AI-driven attacks. Despite McKinsey's reputation for high-end technical consulting, the Lilli platform had 22 API endpoints that required no authentication.
Furthermore, while the system used modern AI, its database was vulnerable to a 30-year-old exploit (SQL injection) because JSON field names were directly "concatenated" into database queries without proper sanitisation.
Standard security scanners had failed to find the flaw, but the autonomous agent was able to "think" through the error messages to find a way in.
McKinsey disputed the scale of the breach. The firm said its investigation, supported by a leading third-party forensics firm, identified no evidence that client data had been accessed by the researcher or any other unauthorised third party. A McKinsey source also told the Financial Times that the underlying files were stored separately and were never at risk.
What it means
What it means
For the AI industry, the incident marks a shift in the "AI arms race," proving that AI-on-AI attacks are no longer theoretical.
For society and policymakers, it demonstrates that even the world’s most sophisticated firms can fall victim to "boring" security failures when rushing to deploy AI.
System 🤖
System 🤖
Lilli
Developer: McKinsey & Co
Country: Multiple
Sector: Business/professional services; Multiple
Purpose: Analyse documents
Technology: Generative AI
Issue: Accountability; Confidentiality; Security; Transparency
Resources 📄
Resources 📄
Timeline ⏰
Timeline ⏰
2023. McKinsey launches Lilli, its internal generative AI platform, for use by consultants.
Late February 2026. CodeWall's AI agent autonomously selects McKinsey as a target based on its public responsible disclosure policy.
February 28, 2026. CodeWall's agent breaches Lilli.
March 1, 2026. CodeWall discloses attack to McKinsey's security team.
By March 9, 2026. McKinsey patches identified vulnerabilities.
March 9, 2026. CodeWall publicly discloses breach.
Research, advocacy 🧮
Research, advocacy 🧮
CodeWall. How We Hacked McKinsey's AI Platform
AIAAIC Repository ID: AIAAIC2253
Page updated
Google Sites
Report abuse