Back to Blog
Artificial IntelligenceIT Security

How McKinsey's AI Platform Was Hacked – and What It Means for Businesses

Mert Bacak··7 min read
Digital brain with data streams — symbolic image for AI security and vulnerabilities in AI systems.

This article is based on the publicly published security report by [CodeWall](https://codewall.ai/blog/how-we-hacked-mckinseys-ai-platform), released on March 9, 2026. CodeWall conducted responsible disclosure — reporting the vulnerability to McKinsey before going public. McKinsey patched the issue within 24 hours of being notified, which is a genuinely fast response. We are reporting on this because the findings are relevant to any business running AI infrastructure today.


McKinsey has been running an internal AI platform called Lilli since 2023 — used by over 43,000 employees worldwide, processing 500,000 prompts per month, with a 70% adoption rate. An impressive infrastructure. Until an autonomous AI agent from security firm CodeWall compromised the entire production database within two hours — with no credentials and no insider knowledge.

Here is what happened, what was exposed, and what it means for any business running an AI platform today.

What Is Lilli?

Lilli is McKinsey's internal AI platform — an AI assistant that gives 43,000 employees access to the firm's entire internal knowledge archive.

How the Attack Unfolded

The CodeWall agent started where every penetration tester starts: publicly available documentation. Lilli had over 200 API endpoints — 22 of which required no authentication.

One unprotected endpoint wrote search queries directly to the database. Values were safely parameterised — but JSON field names were concatenated directly into SQL statements. A classic SQL injection that standard automated scanners had missed.

The AI agent identified the vulnerability, ran 15 blind iterations, and gradually extracted the database structure until production data started flowing back.

What Was Exposed

The numbers are alarming:

  • 46.5 million chat messages: in plaintext — including strategy discussions, financial data, and M&A information
  • 728,000 files: — 192,000 PDFs, 93,000 spreadsheets, 93,000 presentations
  • 57,000 user accounts: — every employee in the system
  • 384,000 AI assistants: and 94,000 workspaces
  • 95 system prompt configurations: across 12 model types
  • 3.68 million RAG document chunks: — decades of proprietary research knowledge

Through chained SQL injection and IDOR vulnerabilities, the agent also accessed cross-user search histories.

The Underestimated Threat: System Prompts as an Attack Surface

What makes this incident particularly serious: the system prompts controlling Lilli's behaviour were stored in the same accessible database. With write access via SQL injection, an attacker could have silently rewritten those prompts — no deployment, no audit trail.

The potential consequences: poisoned advice, data exfiltration through model outputs, removal of safety guardrails, persistent backdoors embedded in AI behaviour.

Why McKinsey Missed It

McKinsey is not a small company with a poor security posture. Yet the vulnerability sat undetected in production for two years. CodeWall's conclusion is sobering:

> "An autonomous agent found it because it doesn't follow checklists."

Standard security scanners operate on defined patterns. An autonomous agent reasons through combinations that fall outside the regular testing framework. The SQL injection was not obvious — it emerged from the interaction between JSON field names and SQL concatenation, a gap only identifiable through deliberate reasoning.

The Disclosure Timeline

  • Feb 28, 2026: SQL injection identified
  • Mar 1, 2026: Responsible disclosure sent to McKinsey
  • Mar 2, 2026: McKinsey patches the vulnerability, takes dev environment offline
  • Mar 9, 2026: Public disclosure by CodeWall

McKinsey responded quickly — but the vulnerability had already existed in production for two years.

What This Means for Businesses

This incident is not an isolated case. It is a pattern.

AI platforms are built fast and deployed fast — security review lags behind. That applies to McKinsey just as much as to any business running internal AI infrastructure today.

Concrete steps to take:

1. Secure every API endpoint — any endpoint that reads or writes data needs authentication

2. Treat system prompts like code — versioning, access controls, audit logs

3. Protect RAG documents and vector stores — not just the application layer, but the data layer

4. Use autonomous security testing — standard checklists are no longer sufficient

5. Apply least privilege to AI components — AI systems should only access the data they genuinely need

At BIT-Partners, security is not an afterthought added to AI projects — it is built into the architecture. If you are building or running an AI platform and want to ensure it is properly secured, get in touch with us.

For more on how AI is accelerating cyberattacks broadly, see our post on AI and cyberattacks.


Source

Questions About This Topic?

We are happy to advise you without obligation. Contact us for an initial consultation.

Contact Us Now