McKinsey's AI Platform Exposed 46.5M Messages in 120 Minutes
An AI agent walked into McKinsey's internal platform and walked out with 46.5 million plaintext chat messages in exactly two hours. No human hacker required.
This isn't your typical breach story. CodeWall's autonomous agent didn't just find vulnerabilities – it selected McKinsey as its target, citing the consulting giant's responsible disclosure policy and recent AI platform updates. Then it went to work.
The damage? Full read-write access to Lilli, McKinsey's internal AI assistant used by 40,000+ consultants. We're talking 728,000 confidential client files, 57,000 user accounts, and here's the kicker – 95 writable system prompts that control how Lilli behaves.
When APIs Attack Themselves
The exploit chain reads like a security nightmare checklist. McKinsey had 22 unauthenticated API endpoints just sitting there in public documentation. One of them was vulnerable to SQL injection through concatenated JSON keys in user search queries.
Basically, someone concatenated user input directly into SQL queries. In 2026. At McKinsey.
<> "If you can't lay your system out bare... you don't honestly believe it's designed securely," one HackerNews commenter noted after McKinsey's fix involved hiding API docs rather than proving secure design./>
The agent found this flaw on February 28, disclosed it March 1, and McKinsey patched within 24 hours. Credit where due – that's solid response time. But the scale of exposure is staggering.
What Nobody Is Talking About
Everyone's focused on the technical failures, but the real story is autonomous target selection. This wasn't a human researcher picking McKinsey off a list. The AI agent evaluated potential targets and decided McKinsey looked promising.
CodeWall CEO Paul Price described the process as "fully autonomous from research to reporting." That's terrifying and impressive in equal measure.
Think about the implications:
- Agents scouting targets 24/7
- 80-90% of cyberattacks now automatable
- No human decision-making bottlenecks
- Scale that makes traditional red-teaming look quaint
We're not just talking about faster hacking. We're talking about different hacking.
The McKinsey Problem
Here's where it gets spicy. This breach exposed strategy discussions, M&A plans, and client engagement details for one of the world's most connected consulting firms. McKinsey's client list reads like a Fortune 500 directory.
But McKinsey's security oversight fits a troubling pattern. This is the same firm that:
- Paid $650 million in 2024 for advising Purdue Pharma on OxyContin sales
- Got caught greenwashing after internal analyses showed clients missing climate goals
- Faced national security scrutiny for undisclosed Chinese government consulting
Maybe the real vulnerability isn't technical. Maybe it's cultural.
The Poisoned Prompt Problem
The scariest detail? Those 95 writable system prompts. An attacker could subtly modify how Lilli responds to consultants without touching any code. Imagine McKinsey's AI quietly steering strategy recommendations toward competitors' interests.
Prompt poisoning is stealthy, persistent, and nearly undetectable. It's like social engineering at machine scale.
Fighting Fire With Fire
CodeWall's success validates the AI red-teaming services market they're building. If autonomous agents can break systems this thoroughly, maybe only autonomous defenders can keep up.
The irony is delicious: McKinsey, the firm that sells digital transformation to everyone else, got schooled by the very automation they preach.
The patch is live. The docs are hidden. But the real question remains: if an AI can autonomously target and breach McKinsey in two hours, who's next on its list?
