CodeWall, a one-man cybersecurity startup, used its own AI agent to break into Lilli — McKinsey’s internal AI platform used by 40,000 staff for strategy planning, data analysis, and client presentations. The agent gained full read and write access to the entire production database in 2 hours, accessing 46.5 million chat messages, 57,000 user accounts, 728,000 sensitive file names, and 95 system prompts controlling McKinsey’s AI behavior.
How the Agent Got In
The CodeWall agent found publicly exposed API documentation listing 22 endpoints that required no authentication. One endpoint wrote user search queries with JSON keys concatenated directly into SQL — a textbook SQL injection vulnerability, a class of bug that has been documented and preventable since the 1990s.
The 46.5 million chat messages were stored in plaintext and covered strategy discussions, M&A analysis, and client engagements. The system prompts — which defined how McKinsey’s AI processed sensitive information — were fully readable, giving the attacker complete understanding of the system’s logic and guardrails.
The Response Timeline
CodeWall found the SQL injection flaw at the end of February 2026. The full attack chain was disclosed on March 1. By March 2, McKinsey had patched all unauthenticated endpoints, taken the development environment offline, and blocked public API documentation. The turnaround was fast once notified — but the vulnerability had been live for an unknown period before CodeWall found it.
This is the most embarrassing corporate AI security breach of 2026, and it should concern every company deploying enterprise AI. McKinsey is not a startup with limited security resources — it is a $16 billion consulting firm with dedicated cybersecurity practice. If McKinsey’s AI platform had basic SQL injection vulnerabilities in production, the baseline security posture across enterprise AI deployments industry-wide is almost certainly worse than anyone wants to acknowledge.
