How an AI Agent Hacked McKinsey’s AI Platform

On March 9, 2026, CodeWall’s autonomous AI agent discovered and exploited publicly accessible API documentation and unauthenticated endpoints in McKinsey’s internal AI chatbot “Lilli,” using a SQL injection to gain system-wide access that exposed tens of millions of chat messages and document chunks, hundreds of thousands of files and accounts, and system prompts; McKinsey reported it patched the vulnerabilities and removed public API access. The report frames the event as security research and warns of broader risks from unsecured AI platforms, recommending least-privilege controls, AI-specific threat modeling, logging and monitoring of AI activity, and inclusion of AI assistants in penetration testing.