A cybersecurity startup claims its artificial intelligence agent took just two hours to infiltrate McKinsey & Company’s internal AI platform, gaining access to millions of staff messages and thousands of files.
CodeWall released its findings this week, revealing that its agent could also have modified the chatbot’s core instructions after exploiting a SQL injection vulnerability.
According to the startup, the agent obtained full read and write access to the production database powering Lilli, McKinsey’s internal AI platform. Approximately three quarters of the firm’s more than 40,000 employees rely on it for strategy work, client research, and document analysis.
CodeWall notified McKinsey’s security team on March 1st, and the firm shut down the exposed access points the following day. The startup justified selecting McKinsey as a target based on its publicly available responsible disclosure policy on HackerOne, arguing that AI agents autonomously choosing and attacking targets will become increasingly common.
Not everyone took CodeWall’s account at face value, however. Security analyst Edward Kiledjian described the attack chain as technically plausible, but noted that the claimed scope of impact was not fully supported by evidence, adding that a disclosure policy does not constitute authorization to access production databases.
The agent found its way in through publicly available technical documentation listing over 200 endpoints, 22 of which required no authentication. One of them accepted search queries without properly validating input, making it susceptible to SQL injection. Through error messages that exposed live data, the agent accessed 46.5 million chat messages, 728,000 files, 57,000 user accounts, 384,000 AI assistants, and 94,000 workspaces.
Write access made the situation considerably more serious, as Lilli’s 95 internal system prompts governing the chatbot’s behavior were stored in the same database. This would have allowed an attacker to alter them without deploying new code or triggering any security alerts.
McKinsey stated that an investigation supported by a third-party forensics firm found no evidence that client data had been compromised, and noted that the underlying files were stored separately and were never at risk.
CodeWall emphasized that the vulnerability was not sophisticated — SQL injection is one of the oldest known security flaws, and Lilli had been running in production for over two years without its internal scanners detecting the issue. This is particularly sensitive for McKinsey, given that AI advisory work accounts for roughly 40% of its revenue.
Want to see the official source?
