For a company that sells strategy to the world's largest enterprises, McKinsey's own strategic failure was remarkably pedestrian. Within two hours of launching their attack, security researchers at CodeWall achieved full read and write access to the entire production database behind Lilli, McKinsey's internal AI platform, accessing 46.5 million chat messages about strategy, mergers and acquisitions, and client engagements, along with 728,000 files containing confidential client data. What's worse: this wasn't an elaborate zero-day exploit or nation-state tradecraft. The researchers found the door wide open.
CodeWall's autonomous agent initially gained access after discovering 22 unauthenticated API endpoints, where the agent found that JSON keys were concatenated into SQL vulnerable to SQL injection. That's not cutting-edge hacking. SQL injection is one of the oldest bug classes in the book. The kind of vulnerability that should be remedial by 2026. Yet Lilli had been running in production for over two years and internal scanners failed to find any issues.
This gap between what McKinsey believed about its own security and what was actually true captures something broader about how corporations have approached AI adoption: speed and optimism have consistently outpaced actual readiness. Since Lilli's rollout in July 2023, the platform achieved 72 percent firm-wide adoption with over 500,000 prompts processed monthly. The platform was woven into how tens of thousands of consultants did their work. It became infrastructure. But it wasn't secured like infrastructure.
The real danger here wasn't mere data theft. Because the SQL injection flaw was read and write, an attacker could silently rewrite Lilli's prompts, thus poisoning how the chatbot answered consultants' queries, with no deployment needed, no code change, just a single UPDATE statement wrapped in an HTTP call. Imagine that for a moment: an attacker could have invisibly corrupted the advice given to McKinsey consultants working on client strategy, financial models, and risk assessments. The consultants would have trusted the output because it came from their own internal tool.
CodeWall's own process is instructive, and slightly unsettling. An autonomous agent found the vulnerability because it doesn't follow checklists; it maps, probes, chains, and escalates the same way a real highly capable attacker would, but continuously and at machine speed. The implication is clear: if your own defensive scanners are running scripts, and attackers are running AI agents, the asymmetry is already built in. Lilli had been running in production for over two years and their own internal scanners failed to find any issues. An autonomous attacker found what human-guided tools missed.
McKinsey's response was competent, at least after the fact. CodeWall disclosed the full attack chain on March 1, and by the following day McKinsey had patched all unauthenticated endpoints and taken the development environment offline. The company has stated it found no evidence of unauthorized access by actual threat actors. But that's almost beside the point. The vulnerability existed. The systems that were supposed to catch it didn't. An attacker with moderate resources would have succeeded.
What troubles security researchers now is the larger context. CodeWall CEO Paul Price warned that hackers will be using the same autonomous agent technology and strategies to attack indiscriminately, with objectives such as financial blackmail for data loss or ransomware. The McKinsey breach wasn't a warning about McKinsey specifically. It was a warning about what happens when corporations race to deploy AI without building the security architecture to match.
There is an uncomfortable lesson buried in this story. The technologies that companies are rushing to adopt to gain competitive advantage are also becoming the tools attackers use to breach them. An autonomous agent found this vulnerability because it doesn't follow checklists; it maps, probes, chains, and escalates the same way a real highly capable attacker would, but continuously and at machine speed. We've entered an era where defensive security is no longer human-speed; it's machine-speed. And that changes everything about how organisations need to think about risk.
McKinsey will recover from this breach. Its team and processes are solid enough. The real casualty may be something harder to quantify: the assumption that we know how to secure systems at the speed and scale at which we're now deploying them. That assumption, it turns out, was always provisional.