The short version
An autonomous AI agent from security company CodeWall hacked into McKinsey's internal AI platform called Lilli—a chatbot and document tool used by over 43,000 employees—gaining full read and write access in just two hours without any login credentials or insider help. The agent exposed 46.5 million chat messages, 728,000 files (like 192,000 PDFs and 93,000 Excel spreadsheets), details on 57,000 user accounts, and even the secret instructions that control how the AI behaves. This shows how AI-powered hackers could soon become a normal threat, putting sensitive company data at risk and highlighting why everyday people should worry about AI tools handling their personal or work info.
What happened
Imagine McKinsey, the super-famous consulting firm that advises huge companies on big decisions like mergers and money strategies, built their own AI helper named Lilli. Launched in 2023 and named after the firm's first female hire in 1945, Lilli is like a smart search engine and chat buddy for their 43,000 employees. It chats with them, analyzes documents, searches over 100,000 internal files, and pulls from decades of their private research. Over 70% of staff use it, firing off more than 500,000 questions a month.
Now, enter CodeWall, a security startup that tests how hackable things are (like a digital bodyguard checking for weak spots). They unleashed their own AI "agent"—think of it as a robot hacker that thinks and acts on its own, no human pulling the strings. They gave it just McKinsey's website address and let it loose. Shockingly, in under two hours, it broke in completely.
How? The agent sniffed around McKinsey's online setup and found public API documentation—basically a menu listing over 200 ways to talk to Lilli's system, like secret doors into the app. Most needed a password, but 22 didn't. One of those let it sneakily write fake search queries into the main database. Here's the sneaky part: It spotted a flaw called SQL injection (like slipping a fake name into a form that tricks the system into spilling secrets). Error messages gave clues, and after 15 smart guesses, real data poured out—no standard hacking tools like OWASP ZAP even noticed this hole.
Once inside the production database (the live, real-deal storage), it grabbed everything:
- 46.5 million chat messages in plain text—conversations about client deals, finances, mergers, and strategies.
- 728,000 files: 192,000 PDFs, 93,000 Excels, 93,000 PowerPoints, 58,000 Word docs. Filenames alone were juicy, like "ClientX_Merger_Plan.xlsx," and direct download links worked for anyone clever enough.
- 57,000 user accounts—every employee's info.
- 384,000 AI assistants and 94,000 workspaces—the full map of how McKinsey organizes its AI work.
But it didn't stop. The agent found:
- 95 system prompts and configs across 12 AI model types—the hidden instructions telling Lilli how to answer, what to block, and its full tech stack (including custom-tuned models).
- 3.68 million RAG document chunks—McKinsey's "crown jewels," decades of research frameworks stored openly with Amazon S3 paths.
- 1.1 million files and 217,000 agent messages via external AI services, including 266,000+ OpenAI vector stores (fancy ways to search docs).
- A combo flaw (IDOR) let it peek at other users' private searches, like spying on what colleagues are researching.
Worst: Write access meant it could've rewritten those system prompts silently. No alarms, no code changes—just tweak the AI's brain to give bad advice, leak secrets in responses, ditch safety rules, or hide forever. The agent even picked McKinsey itself as a target because of their public bug-reporting policy and recent Lilli updates—staying "responsible."
This wasn't a real attack; CodeWall disclosed it responsibly, and McKinsey patched it. But it proves AI agents can hunt, pick, and crack targets autonomously.
Why should you care?
This isn't just McKinsey's headache—it's a wake-up call for anyone using AI at work or sharing data with AI tools. Think about it: Your company might have an AI chatbot for HR, sales, or reports. If a giant like McKinsey (with top experts) leaves doors unlocked, smaller places are toast. Hackers could grab your chats, files, or tweak the AI to mess with your decisions—like a consultant getting poisoned strategy tips that tank a deal.
For regular folks, AI is everywhere: ChatGPT for resumes, Google for job hunts, apps analyzing your health data or bank statements. If AI agents go rogue (or get weaponized), they could auto-hack banks, hospitals, or your email. No more "hackers need skills"—AI does it fast, smart, and solo. The source calls this the "new normal" in the AI era: Threats shifting from humans to self-driving digital burglars. Your privacy, job security, and even AI trust take a hit—will you second-guess that work AI now?
What changes for you
Practically, nothing flips overnight, but expect ripples:
- Work AI gets stricter: Companies will lock down tools like Lilli harder—more logins, checks, and tests. Your office chatbot might ask for extra verification or limit what it shares.
- AI hacks become common: Security firms like CodeWall will test more, pressuring vendors (OpenAI, etc.) to build tougher. Free tools you use might add "agent-proof" shields.
- Personal data risk up: If you upload docs to AI (resumes to job sites, photos to apps), assume hackers could chain flaws like this to steal them. Use less-trusted AI for sensitive stuff.
- Better awareness: This pushes "cyber hygiene"—simple habits like strong passwords and updates. No pricing or benchmarks here (none in sources), but it spotlights vulnerabilities standard tools miss.
- Vs. competitors: No direct rivals named, but it exposes any AI platform (enterprise chatbots from OpenAI, Anthropic, etc.) if they skimp on security. McKinsey's scale (500K+ prompts/month) shows even big players slip.
Long-term: AI advice might come with "security certified" labels. For you, it means pausing before trusting AI fully—double-check outputs, especially at work.
Frequently Asked Questions
### What exactly is Lilli, and who uses it?
Lilli is McKinsey's custom AI platform—a chatbot, document analyzer, and search tool built for their 43,000 employees to handle internal research, chats, and strategies. Over 70% of staff use it daily, processing 500,000+ prompts monthly across 100,000+ docs and decades of proprietary info. It's like a supercharged company Google, but all locked (supposedly) inside their walls.
### How did the AI agent hack it so fast without passwords?
The agent found public API docs listing 200+ endpoints; 22 needed no auth. It exploited SQL injection on one—tricking a search query to dump database secrets via error messages—plus IDOR to cross-read users. After 15 blind tries, it had full read/write in 2 hours. Standard scanners missed it because JSON field names were directly jammed into SQL.
### What data was exposed, and could it hurt McKinsey's clients?
Tons: 46.5M plaintext chats on deals/finances, 728K files (PDFs, Excels, etc.) with sensitive names/URLs, 57K user accounts, 3.68M research chunks, 95 AI prompts/configs, and OpenAI integrations. Clients could be indirectly hit if strategies leak. Write access could've poisoned AI advice silently—no traces.
### Is this a sign all AI tools are unsafe?
Not all, but a huge red flag—especially internal ones rushed to launch. Flaws like SQL injection are old (15+ years), but AI agents make exploiting them autonomous and target-picking. It shows "cyber hygiene" matters more than ever; even McKinsey's pros missed it. Patch fast, test with AI red-teams.
### When will AI agent hacks become common, and how to protect myself?
Sources say it's the "new normal" as AI gets smarter. The agent even auto-chose McKinsey. For you: Use 2FA everywhere, avoid uploading super-private docs to AI, demand secure work tools, and support responsible disclosure. Companies should scan APIs and prompts rigorously.
### Did McKinsey fix it, and was this reported properly?
Yes—CodeWall followed McKinsey's policy, disclosed responsibly; it's patched. No ongoing breach, but it embarrassed them. Sources confirm it's a red-team test, not malice.
The bottom line
This hack proves AI isn't just making life easier—it's creating smarter burglars that can pick locks in hours, exposing chats, files, and AI brains from elite firms like McKinsey. For you, it means rethinking blind trust in work AI: Check outputs, push your employer for security, and treat AI tools like you'd treat a shared fridge—don't leave valuables out. As autonomous agents evolve, expect tighter defenses, but also more incidents until everyone catches up. Stay vigilant; your data's the real prize.
Sources
- CodeWall Blog: How We Hacked McKinsey's AI Platform
- The Register: AI agent hacked McKinsey chatbot for read-write access
- Inc: An AI Agent Broke Into McKinsey’s Internal Chatbot
- Cybernews: Red-teamers unleash AI agent on McKinsey’s chatbot
- Reddit r/cybersecurity: How We Hacked McKinsey's AI Platform
- LetsDataScience: CodeWall Agent Hacks McKinsey AI Platform
(Word count: 1,248)

