McKinsey’s internal AI chatbot breached via basic SQL injection
TL;DR: Security firm CodeWall breached McKinsey’s internal AI chatbot Lilli within two hours using an autonomous penetration-testing bot. The attacker accessed 46.5 million chat messages, 57,000 user accounts, and the system’s prompt configurations. The entry point was a SQL injection vulnerability, a class of flaw that has been documented since the 1990s.
McKinsey has confirmed it patched Lilli after being alerted to the vulnerability by CodeWall, a one-person security firm founded by Paul Price. The consulting giant said no client data or confidential client information was accessed, though the scale of internal data exposed raises questions about how enterprise AI tools are being secured.
What was exposed
CodeWall’s autonomous platform gained access to 728,000 sensitive file names including Excel, PowerPoint, and Word documents, though the documents themselves were stored separately. It also reached 384,000 AI assistants and 94,000 workspaces, which CodeWall described as revealing the “full organisational structure” of how McKinsey uses AI internally.
Perhaps most concerning was access to Lilli’s system prompts and model configurations, the instructions that govern how the AI behaves and what guardrails are in place. For any organisation, having those exposed effectively hands an attacker a map of the system’s intended boundaries and potential weak points.
The irony is hard to miss
McKinsey is actively selling AI consulting services to major organisations worldwide. Being breached through a SQL injection, one of the oldest and most well-understood web vulnerabilities, raises awkward questions about the gap between advisory expertise and internal security practice.
The incident also serves as a real-world demonstration for CodeWall’s product. Whether the disclosure was coordinated or opportunistic, it has generated precisely the kind of publicity a security startup needs.
Looking forward
For UK businesses deploying internal AI chatbots, the McKinsey breach is a pointed reminder. AI tools that ingest organisational knowledge become high-value targets, and the attack surface they introduce may not be covered by existing security audits. The fact that a decades-old vulnerability class was the entry point suggests that basic security hygiene around AI deployments deserves as much attention as the models themselves.