AI agent hacked McKinsey chatbot, gained full read-write access in two hours
Mar 12th 2026
A CodeWall autonomous agent reportedly used exposed API docs and a SQL injection to reach McKinsey's Lilli chatbot data and writable system prompts in under two hours; McKinsey says it patched the issues and found no evidence of client data theft.
- CodeWall says its autonomous red-team agent breached McKinsey's Lilli in about two hours and achieved full read and write access to the production database.
- The agent exploited publicly exposed API documentation with 22 unauthenticated endpoints and a SQL injection in a search-writing endpoint.
- Researchers claim they accessed 46.5 million chat messages in plaintext, 728,000 files, 57,000 user accounts, and 95 writable system prompts that control the chatbot's behavior.
- CodeWall disclosed the flaw after finding it in late February, and McKinsey patched unauthenticated endpoints, took a development environment offline, and said a forensic review found no evidence of unauthorized client data access.
- The incident shows how agentic AI can automate and speed up complex intrusions, which security teams warn could be adopted by malicious actors.