AI agent hacked McKinsey chatbot for read-write access

Security startup CodeWall demonstrated how their autonomous AI agent compromised McKinsey's internal AI chatbot Lilli in under two hours, gaining full read-write access to a production database containing 46.5 million chat messages, 728,000 files of confidential client data, 57,000 user accounts, and 95 writable system prompts. The attack exploited publicly exposed, unauthenticated API endpoints vulnerable to SQL injection, where JSON keys were concatenated directly into SQL queries. Because Lilli's system prompts were stored in the same database, an attacker could silently rewrite them to poison the chatbot's responses for all 40,000+ McKinsey employees using it. McKinsey patched the vulnerabilities within hours of disclosure and says no client data was accessed. The incident highlights the growing threat of fully autonomous AI agents conducting machine-speed cyberattacks against other AI systems.