AI-Driven Security Operations,
Artificial Intelligence & Machine Learning,
Next-Generation Technologies & Secure Development
Cybersecurity Startup Exposed Lilli Using a Flaw as Old as the Web
A cybersecurity startup has revealed a troubling security breach involving McKinsey & Company, where its AI agent managed to infiltrate McKinsey’s proprietary generative AI platform, known as Lilli, in just two hours. The breach allowed access to an astonishing amount of sensitive information, including millions of internal staff messages and thousands of confidential files.
According to findings published by CodeWall, this cybersecurity firm disclosed that its AI agent leveraged a SQL injection vulnerability to gain unauthorized access to McKinsey’s production database. The firm emphasized that it had the capability not just to read but also to write to the database after circumventing security measures.
McKinsey’s Lilli is noted for its extensive use among the firm’s 40,000 employees, with roughly 75% relying on this platform for critical tasks such as strategy development, client research, and document analysis. In light of the incident, McKinsey took swift action by notifying its security team on March 1, with all identified vulnerabilities patched and the associated development environment taken offline the following day, March 2.
The disclosure is particularly significant given McKinsey’s responsible disclosure policy, which was among the reasons CodeWall’s AI agent was attracted to target the organization. The startup pointed out how the rapid evolution of AI technology is altering the landscape of cybersecurity threats. “In the AI era, the threat landscape is shifting drastically — AI agents autonomously selecting and attacking targets will become the new normal,” CodeWall articulated in its report.
Despite the alarming claims made by CodeWall, not all cybersecurity experts accept its conclusions without skepticism. Security analyst Edward Kiledjian expressed that, while the method described by CodeWall was technically plausible, the extent of the breach’s impact lacked substantial evidence. He raised critical questions about the nature of the security test performed, stating, “A disclosure policy is not blanket authorization to enumerate a production database,” stressing that the rapid patching by McKinsey may not necessarily correlate with a comprehensive forensic analysis.
CodeWall’s AI agent reportedly operated without any credentials, insider information, or human intervention. The breach was facilitated through the exploitation of publicly accessible technical documentation that listed over 200 endpoints, of which 22 required no authentication whatsoever. This oversight allowed the agent to utilize a specific endpoint that processed user search queries and funneled them into the database without stringent validation, resulting in the discovery of a SQL injection vulnerability.
Within a mere two hours of initiating the attack, the agent supposedly accessed an overwhelming 46.5 million chat messages focused on strategic issues, mergers and acquisitions, and client interactions. It also obtained detailed insights into 728,000 files, 57,000 user accounts, 384,000 AI assistants, and 94,000 unique workspaces. The gravity of the situation was amplified by the AI agent’s ability to write data, which opened potential pathways for malicious modifications within Lilli’s internal system prompts that regulated chatbot behavior. Such changes could be made without any need for code deployment or triggering standard security alerts, which is particularly alarming.
A source within McKinsey later reassured The Financial Times that the critical underlying files were maintained separately and had “never been at risk.” Furthermore, McKinsey officially stated that their investigations, bolstered by a third-party forensic firm, found no evidence that either client data or confidential information had been compromised in any way. The firm emphasized, “Our cybersecurity systems are robust, and we have no higher priority than the protection of client data and information that we have been entrusted with.”
CodeWall reflected on the nature of the vulnerability, noting that SQL injection is a well-known and longstanding class of bugs. They criticized McKinsey for running the Lilli platform in a compromised state for over two years without internal scanners identifying substantial security issues.
The timing of the breach is particularly concerning for McKinsey, whose AI consultancy work constitutes around 40% of its overall revenue. The firm’s CEO recently announced the development of 25,000 AI agents designed to enhance operational efficiency. McKinsey has often used its own advancements in AI technology to showcase its commitment to innovation in a rapidly evolving field.