← All Insights

An AI Agent Hacked McKinsey's AI With a 25-Year-Old Exploit

ai-securityagentsenterprise-adoptionvendor-risk

On February 28, security startup CodeWall pointed an autonomous offensive agent at McKinsey’s internal AI platform Lilli — a tool used by over 43,000 employees. The agent had zero credentials, zero insider knowledge, and zero human guidance.

Within two hours, it had full read-write database access, including the system prompts that controlled how Lilli responded to every consultant in the firm.

The attack path was almost comically straightforward. The agent found exposed API documentation, identified 22 unauthenticated endpoints, and exploited a SQL injection vulnerability to walk straight into the database. An attacker could have silently rewritten Lilli’s behavior — poisoning the advice flowing to tens of thousands of consultants — and nobody would have noticed until the damage was done.

SQL injection has been on the OWASP Top 10 since 2003. It’s the security equivalent of leaving your front door unlocked while installing a state-of-the-art alarm system in the attic. McKinsey built an impressive AI layer on top of infrastructure with holes that a first-year security student would catch in a penetration test.

This is what the “integration over capability” lens keeps revealing. The AI component can be brilliant — sophisticated retrieval, nuanced generation, seamless UX — and still be catastrophically vulnerable because the systems it’s built on weren’t secured properly. The autonomous agent didn’t need any novel techniques. It just methodically tested the basics, and the basics failed.

The uncomfortable implication for every enterprise deploying AI: your model vendor’s security posture is only one layer. You’re also inheriting every vulnerability in your API gateway, your database, your authentication layer, and every integration point in between. If any of those have the kind of gaps that get flagged in a routine pen test, an autonomous agent — friendly or hostile — will find them faster than a human ever could.

Three questions worth asking your team this week:

  • When was your last pen test that included the AI layer’s full stack? Not just the model, but the APIs, databases, and endpoints it touches.
  • How many of your AI platform’s endpoints require authentication? If you don’t know the number, that’s the answer.
  • Who can modify system prompts, and how would you detect unauthorized changes? If an attacker rewrote your AI’s instructions tonight, when would you find out?

McKinsey isn’t a small company cutting corners on a shoestring budget. If their AI infrastructure had 25-year-old vulnerabilities sitting in the open, what’s lurking in yours?