- Paul Price, founder of CodeWall, used an autonomous AI agent to breach McKinsey’s Lilli AI platform in under two hours through a SQL injection in an unauthenticated API endpoint.
- The breach exposed 46.5 million plaintext chat messages, 728,000 files, and 57,000 user accounts from the consulting firm’s internal AI system.
- McKinsey patched all unauthenticated endpoints within 24 hours of responsible disclosure on March 1, 2026.
- Standard vulnerability scanners like OWASP ZAP failed to detect the flaw, raising questions about traditional security tooling for AI platforms.
What Happened
Paul Price, founder and CEO of offensive security firm CodeWall, deployed an autonomous AI penetration testing agent against McKinsey’s Lilli AI platform on February 28, 2026. The agent identified a SQL injection vulnerability in an unauthenticated API endpoint within two hours, achieving full read and write access to the production database.
Lilli is McKinsey’s internal AI assistant, launched in 2023 and used by more than 43,000 employees. The platform had a 70% adoption rate across the firm and processed over 500,000 prompts per month at the time of the breach. It served as a centralized knowledge retrieval and generation tool, connecting consultants to decades of internal research and client work.
The vulnerability stemmed from JSON key concatenation being passed directly into SQL queries without proper parameterization. Of the platform’s 200-plus documented API endpoints, 22 lacked any authentication whatsoever. Price’s agent identified and exploited these unauthenticated endpoints as its initial attack surface.
Why It Matters
The breach exposed the full scope of a major consulting firm’s AI-powered knowledge base. The compromised data included 46.5 million plaintext chat messages, 728,000 files spanning 192,000 PDFs, 93,000 Excel spreadsheets, 93,000 PowerPoint decks, and 58,000 Word documents, along with 57,000 user accounts.
Beyond personal data, the agent accessed 3.68 million RAG document chunks containing decades of proprietary McKinsey research, strategy frameworks, and client deliverables. It also found 384,000 AI assistants, 94,000 workspaces, 95 system prompt configurations across 12 model types, and 266,000 OpenAI vector stores. An additional 1.1 million files had been routed through external AI APIs, meaning third-party model providers had also processed significant volumes of McKinsey’s confidential data.
The write access was particularly concerning. An attacker could have manipulated system prompts to alter the AI’s behavior across the entire organization, subtly changing how Lilli responded to queries without requiring any code deployment or triggering standard change management processes.
Technical Details
The CodeWall agent performed 15 blind SQL iterations, using error messages to reverse-engineer the underlying query structure. This technique progressively revealed table names, column structures, and data relationships within the production database. Standard automated scanners, including OWASP ZAP, failed to detect the injection because the vulnerability existed in JSON key names rather than typical form input fields or URL parameters.
The agent also discovered an Insecure Direct Object Reference (IDOR) vulnerability, allowing lateral access across user accounts and workspaces. By manipulating object identifiers in API requests, the agent could access any user’s chat history, uploaded documents, and configured AI assistants without needing their credentials.
Upon discovering the first batch of employee data, the AI agent itself flagged the finding with the annotation “WOW!” and later described the scale of exposure as “devastating.” These spontaneous reactions from the autonomous agent underscored the severity of what a fully automated system could uncover without any human guidance during the two-hour test.
Who’s Affected
The 57,000 user accounts belong to McKinsey employees and potentially clients whose data was processed through Lilli. Any organization whose confidential documents were uploaded to the AI assistant, whether for strategy analysis, market research, or due diligence, may have had that material exposed through the unauthenticated endpoints.
The incident also raises broader concerns for enterprises deploying internal AI platforms. Lilli was built by a firm that advises Fortune 500 companies on technology strategy and digital transformation, yet its own AI infrastructure contained basic security flaws that an automated agent found in under two hours. The gap between McKinsey’s public AI advisory practice and its internal security posture is notable.
What’s Next
McKinsey acknowledged the disclosure on March 1, 2026, and patched all unauthenticated endpoints by March 2. The firm also took its development environment offline and blocked public access to API documentation. CodeWall published its findings on March 9 after verifying the fixes were in place.
The incident highlights a gap between the pace of enterprise AI deployment and the security testing applied to these systems. Whether McKinsey will disclose the breach to affected clients, notify regulators, or commission a broader audit of its AI infrastructure remains unclear. Price has stated that CodeWall’s autonomous agent found the vulnerabilities faster than any manual penetration test could have, raising questions about whether traditional security assessment methods are keeping pace with the complexity of modern AI platforms.
Related Reading
- The World’s Biggest Law Firm Admitted AI Is Replacing Its Lawyers — And Harvey AI Is Worth $11 Billion
- Intuit Built an AI Operating System for Its Entire Company — Here’s Why Every Business Needs One
- George Hotz Says Closed-Source AI Is Creating a New Feudal Class System
- North Korean Hackers Used AI to Pose as a Trading Firm for 6 Months — Then Stole $270 Million
