How We Hacked McKinsey's AI Platform

An autonomous AI offensive agent from CodeWall discovered a SQL injection vulnerability in McKinsey's internal AI platform Lilli, gaining full read/write access to the production database within 2 hours. The exploit targeted unparameterized JSON keys in an unauthenticated endpoint, ultimately exposing 46.5 million chat messages, 728,000 files, 57,000 user accounts, and 3.68 million RAG document chunks. Beyond data exfiltration, write access to the database meant system prompts governing AI behavior could be silently modified — enabling poisoned advice, guardrail removal, and persistent compromise with no log trail. The vulnerability, a classic SQL injection, went undetected by standard scanners including OWASP ZAP for over two years. McKinsey patched the issues within days of disclosure. CodeWall uses this case to argue that AI prompt layers are now high-value attack targets requiring dedicated security controls, and to promote their autonomous security testing platform.