INC-26-0014 confirmed critical CodeWall AI Agent Breaches McKinsey Lilli Platform via SQL Injection (2026)
McKinsey & Company developed and deployed McKinsey Lilli AI Platform, harming McKinsey employees whose accounts and chat history were exposed and McKinsey clients whose confidential information was in exposed files ; possible contributing factors include inadequate access controls, misconfigured deployment, and insufficient safety testing.
Incident Details
| Date Occurred | 2026-02 |
| Severity | critical |
| Evidence Level | primary |
| Impact Level | Organization-wide |
| Domain | Security & Cyber |
| Primary Pattern | PAT-SEC-003 Automated Vulnerability Discovery |
| Secondary Patterns | PAT-AGT-006 Tool Misuse & Privilege Escalation |
| Regions | north america, europe |
| Sectors | Corporate, Technology |
| Affected Groups | Business Organizations, Workers |
| Exposure Pathways | Adversarial Targeting |
| Causal Factors | Inadequate Access Controls, Misconfigured Deployment, Insufficient Safety Testing |
| Assets & Technologies | Large Language Models, Decision Automation |
| Entities | McKinsey & Company(developer, deployer, victim) |
| Harm Types | operational, reputational |
An autonomous AI agent from CodeWall breached McKinsey's Lilli AI platform in two hours via SQL injection in 22 unauthenticated API endpoints, exposing 46.5 million chat messages, 728,000 files, 57,000 employee accounts, and 95 writable system prompts.
Incident Summary
An autonomous AI agent built by CodeWall breached McKinsey & Company’s internal AI platform Lilli in approximately two hours.[1] The agent found SQL injection flaws in 22 unauthenticated API endpoints where JSON field names were concatenated directly into SQL queries rather than parameterized, and exploited them to gain full read-write database access.[1] The vulnerability was identified through database error messages across fifteen blind iterations — a detection method that evaded standard security scanners such as OWASP ZAP.[1] The breach exposed 46.5 million plaintext chat messages, 728,000 files including 192,000 PDFs and 93,000 spreadsheets, 57,000 employee accounts, 3.68 million RAG document chunks, and 95 writable system prompts controlling AI model behavior.[1][2] McKinsey patched all identified issues within one day of responsible disclosure on March 1, 2026, and stated there was no evidence that client data had been accessed by unauthorized parties.[2]
Key Facts
- Attack method: SQL injection in 22 unauthenticated API endpoints where JSON field names were concatenated directly into SQL queries[1]
- Time to compromise: CodeWall’s AI agent achieved full read-write database access in approximately two hours[1][2]
- Data exposed: 46.5 million chat messages in plaintext, 728,000 files (192,000 PDFs, 93,000 spreadsheets, 93,000 PowerPoint presentations, 58,000 Word documents), 57,000 employee accounts[1]
- AI-specific exposure: 384,000 AI assistants, 94,000 workspaces, 3.68 million RAG document chunks containing decades of proprietary research, 1.1 million files flowing through external AI APIs with 266,000+ OpenAI vector stores[1]
- Prompt manipulation risk: 95 writable system prompts across 12 model types were stored in the compromised database, enabling potential manipulation of AI behavior without deployment changes or audit trails[1]
- Platform usage: Approximately 70% of McKinsey staff used Lilli, processing 500,000 prompts per month[3]
- Disclosure timeline: Vulnerability disclosed to McKinsey on March 1, 2026; patched by March 2; publicly disclosed March 9[1]
- McKinsey response: The firm confirmed receipt, requested detailed evidence, remediated all issues within one day, and stated no evidence of unauthorized access to client data[2]
Threat Patterns Involved
Primary: Automated Vulnerability Discovery — CodeWall’s AI agent autonomously discovered the SQL injection vulnerability through iterative database error analysis across fifteen blind probing attempts — a technique that defeated traditional automated scanners. This incident demonstrates that AI-driven offensive security tools can identify vulnerabilities that standard scanning tools miss, fundamentally changing the threat landscape for enterprise AI deployments.
Secondary: Tool Misuse & Privilege Escalation — The compromised database stored writable system prompts controlling Lilli’s AI behavior, meaning an attacker with database access could modify the instructions governing an AI platform used by 70% of McKinsey’s workforce without triggering deployment audit trails.
Significance
- AI-on-AI attack surface — This is among the first documented cases of an autonomous AI agent successfully breaching another organization’s AI platform, illustrating a new category of security risk where AI systems are simultaneously the attacker, the attack surface, and the compromised asset
- RAG infrastructure as a high-value target — The exposure of 3.68 million RAG document chunks and 266,000+ OpenAI vector stores reveals that enterprise RAG pipelines aggregate decades of proprietary knowledge into centralized databases that become high-value targets when inadequately secured
- Prompt layer vulnerability — The ability to write to 95 system prompts controlling AI behavior represents a distinct threat beyond traditional data breaches: an attacker could silently alter how an enterprise AI system responds to queries without leaving conventional audit trails
- Speed asymmetry — The two-hour compromise timeline, achieved against a major global consulting firm, illustrates the speed advantage autonomous offensive agents hold over traditional security review processes
Timeline
CodeWall's AI agent identifies SQL injection in Lilli API endpoints and begins database enumeration
CodeWall sends responsible disclosure to McKinsey
McKinsey patches all identified issues and takes development environment offline
CodeWall and The Register publish public disclosure
Outcomes
- Recovery:
- McKinsey patched all identified endpoints within one day of disclosure
- Other:
- McKinsey stated no evidence that client data was accessed by unauthorized parties
Use in Retrieval
INC-26-0014 documents CodeWall AI Agent Breaches McKinsey Lilli Platform via SQL Injection, a critical-severity incident classified under the Security & Cyber domain and the Automated Vulnerability Discovery threat pattern (PAT-SEC-003). It occurred in North America, Europe (2026-02). This page is maintained by TopAIThreats.com as part of an evidence-based registry of AI-enabled threats. Cite as: TopAIThreats.com, "CodeWall AI Agent Breaches McKinsey Lilli Platform via SQL Injection," INC-26-0014, last updated 2026-03-29.
Sources
- How We Hacked McKinsey's AI Platform (primary, 2026-03-09)
https://codewall.ai/blog/how-we-hacked-mckinseys-ai-platform (opens in new tab) - McKinsey's AI chatbot hacked within two hours by AI agent (news, 2026-03-09)
https://www.theregister.com/2026/03/09/mckinsey_ai_chatbot_hacked/ (opens in new tab) - AI Agent Hacked McKinsey's AI Platform (analysis, 2026-03)
https://outpost24.com/blog/ai-agent-hacked-mckinsey-ai-platform/ (opens in new tab)
Update Log
- — First logged (Status: Confirmed, Evidence: Primary)