46.5 million chat messages. 728,000 files. 57,000 user accounts. All sitting behind a single SQL injection vulnerability in McKinsey's internal AI platform, Lilli.
Security researchers at Codewall discovered they could gain full read and write access to McKinsey's entire production database in under two hours, starting with nothing but a domain name and zero credentials. The vulnerability was found on February 28, 2026, McKinsey's CISO acknowledged it by March 2, and patches were deployed the same week.
How an Autonomous Agent Broke In
The researchers used an autonomous security agent that mapped over 200 API endpoints on Lilli's infrastructure. Of those, 22 required no authentication at all. The critical flaw was a textbook SQL injection - JSON field names were concatenated directly into SQL queries instead of being parameterized (basically, user input was treated as trusted code). Standard security scanning tools like OWASP ZAP missed it entirely.
The agent ran 15 blind iterations using error messages to progressively map the database structure, then chained the SQL injection with an IDOR flaw (Insecure Direct Object Reference - where you can access other users' data by changing an ID in the request) to pull individual employee search histories.
What Was Exposed
The scope of accessible data was staggering for a platform used by one of the world's largest consulting firms:
- 46.5 million plaintext chat messages
- 728,000 files including PDFs, spreadsheets, and documents
- 57,000 user accounts
- 384,000 AI assistants across 94,000 workspaces
- 95 system prompt configurations spanning 12 different model types
- 3.68 million RAG document chunks (RAG is the technique where AI pulls from a company's own documents to generate answers)
- 1.1 million files flowing through external API integrations
Consulting firms handle some of the most sensitive business data in the world - M&A strategies, competitive analyses, restructuring plans. McKinsey's clients include Fortune 500 companies and governments. The chat messages alone could contain material non-public information worth billions.
The Real Risk Was Write Access
The scariest part was not the data exposure. The researchers had write access to the production database, including the prompt layer - the system instructions that control how AI models behave. An attacker could have silently modified these prompts without leaving any logs or requiring code changes.
That means someone could have poisoned the advice Lilli gave to McKinsey consultants, or configured the AI to quietly exfiltrate sensitive data through its own outputs. Consultants would have no way to tell the difference between legitimate AI responses and manipulated ones.
This is a pattern we are going to see more of. Companies are rushing to deploy internal AI platforms that sit on top of their most sensitive data, but applying security practices from a decade ago. A SQL injection in 2026 - in a product built by a firm that advises other companies on technology strategy - is hard to excuse.
McKinsey patched the vulnerabilities quickly once notified, which is the right response. But the fact that an autonomous agent with no credentials could map, exploit, and own the entire platform in two hours should make every company running an internal AI tool pause and audit. The attack surface of AI platforms is fundamentally larger than traditional web apps because they combine database access, file storage, external APIs, and a programmable prompt layer into a single target.