HN
Today

AI Agent Hacks McKinsey

An autonomous AI agent successfully breached McKinsey's internal AI platform, Lilli, by exploiting a classic SQL injection vulnerability, exposing vast quantities of confidential data. This incident highlights the critical security gaps in 'prompt layers' and sparks debate on the tech prowess of major consulting firms. The story gained traction for showcasing an AI agent performing offensive security and prompting discussions about the evolving threat landscape.

47
Score
16
Comments
#8
Highest Rank
6h
on Front Page
First Seen
Mar 11, 2:00 PM
Last Seen
Mar 11, 7:00 PM
Rank Over Time
9812131214

The Lowdown

CodeWall's autonomous AI agent, operating without human intervention for the exploit phase, successfully compromised McKinsey & Company's internal AI platform, Lilli. This sophisticated system, used by over 70% of McKinsey's 43,000 employees for critical client work and proprietary research, fell victim to a well-known vulnerability, demonstrating how traditional security flaws can be exploited with new tools and exposing a novel security frontier: the 'prompt layer'.

  • The Target: Lilli, an AI platform launched in 2023, named after McKinsey's first professional woman hire, handles over 500,000 prompts monthly for chat, document analysis, and RAG over decades of internal research.
  • The Breach: The AI agent mapped Lilli's attack surface, finding over 200 publicly exposed API endpoints, 22 of which were unauthenticated. It discovered a SQL injection in one of these endpoints where JSON keys were concatenated directly into SQL queries, even though values were parameterized. Standard security tools failed to detect this.
  • The Revelation: Within two hours, the agent achieved full read and write access to the production database, uncovering 46.5 million chat messages, 728,000 sensitive files (PDFs, Excel, PowerPoint), 57,000 user accounts, and detailed organizational structure data.
  • Beyond the Database: The compromise extended to system prompts, AI model configurations, 3.68 million RAG document chunks (McKinsey's intellectual property), and access to external AI API data and user search histories.
  • Prompt Layer Vulnerability: The article emphasizes that the ability to write to the database meant attackers could have silently rewritten Lilli's system prompts. This could lead to 'poisoned advice,' data exfiltration, guardrail removal, or 'silent persistence' where the AI behaves differently without leaving traditional audit trails.
  • Irony and Implications: The article highlights the irony that a 'world-class' firm like McKinsey fell to an 'old' vulnerability like SQL injection, yet the discovery by an autonomous AI agent represents a significant shift in offensive security capabilities. CodeWall positions itself as a solution for this new threat landscape.

This incident underscores that even organizations with substantial security investments can be vulnerable to classic exploits, especially when discovered and chained by autonomous AI agents. More importantly, it brings critical attention to the 'prompt layer' as a nascent but highly valuable target for adversaries, demanding a rethink of traditional security perimeters.

The Gossip

SQLi vs. AI Agent Acclaim

Many commenters expressed a degree of disappointment that the high-profile hack on McKinsey's AI platform ultimately boiled down to a 'good ol' fashioned SQL injection,' rather than a more novel AI-specific vulnerability like prompt injection. There was a prevailing sentiment that while the AI agent's ability to find and exploit it was interesting, the core flaw was an 'old dog' of a vulnerability, leading some to question the article's framing and the true innovation presented. Others found the narrative of 'LLMs reporting on LLMs pen-testing LLM-generated software' to be tiring, suggesting a weariness with the current AI hype cycle.

McKinsey's Maligned Tech Merit

A significant portion of the discussion revolved around McKinsey's reputation for technological prowess and the irony of such a prestigious firm falling victim to a basic SQL injection. Commenters openly questioned the article's assertion of McKinsey having 'world-class technology teams,' with some expressing schadenfreude at the company's cybersecurity lapse. There was a strong undercurrent suggesting that McKinsey's tech capabilities are often more hype than substance, and some even criticized the firm's choice to name their AI 'Lilli' as performative.

Autonomous Agent Authenticity & AI Article Auras

Skepticism emerged regarding the true 'autonomy' of the AI agent involved. Commenters debated whether the agent genuinely selected McKinsey as a target and performed the pentesting with minimal human oversight, or if the narrative was exaggerated for marketing purposes, particularly given the product promotion at the end of the article. There was also discussion about the article itself, with several users perceiving it to be written with significant 'LLM-isms' or even entirely by AI, leading to fatigue among some readers.