CodeWall Claims It Hacked McKinsey's Internal AI Platform Lilli

CodeWall claims autonomous agent breached McKinsey's Lilli AI platform in roughly two hours

According to CodeWall's own disclosure, no credentials or insider access were used. The firm says its offensive agent autonomously selected McKinsey as a target after parsing its public responsible disclosure policy, then allegedly achieved full read and write access to the production database. McKinsey has not confirmed or denied this account.

McKinsey's Lilli platform reportedly serves 43,000+ employees processing 500,000+ prompts monthly

Launched in 2023 and reportedly adopted by over 70% of McKinsey staff, Lilli allegedly supports chat, document analysis, and RAG-based search across more than 100,000 internal documents. This background is drawn from CodeWall's disclosure and has not been independently verified.

Alleged entry point: unauthenticated API endpoint with JSON key SQL injection that OWASP ZAP missed

CodeWall claims the agent found over 200 publicly exposed API endpoints, 22 reportedly requiring no authentication. One write endpoint allegedly concatenated JSON key names — not values — directly into SQL queries, creating a blind SQL injection. CodeWall states OWASP ZAP did not flag this flaw; the agent ran 15 blind iterations before data began returning.

Chained IDOR vulnerability and write access to system prompts alleged, enabling behavioral manipulation

Per CodeWall's disclosure, the SQL injection was chained with an insecure direct object reference flaw to access data across user accounts. Write access to system prompts via SQL injection is also alleged — representing a particularly sensitive capability in an AI platform, as it would allow an attacker to silently alter AI behavior for all users.

46.5 million plaintext chat messages allegedly accessed, covering strategy, client, and M&A data

These figures are self-reported by CodeWall and unverified. The alleged plaintext storage of sensitive consulting communications — including client financials and M&A discussions — would represent a significant data protection failure if confirmed.

Alleged exposure: 728,000 files, 57,000 user accounts, 3.68 million RAG document chunks, 95 AI model configs

File types allegedly included 192,000 PDFs, 93,000 Excel files, 93,000 PowerPoints, and 58,000 Word documents. Also allegedly exposed: 384,000 AI assistants, 94,000 workspaces, and 95 AI model configurations across 12 model types. All figures originate from CodeWall's disclosure only.

Offensive agent reportedly selected McKinsey as a target autonomously without human direction

CodeWall states its agent identified McKinsey by analyzing public responsible disclosure policies — raising questions about risks of fully autonomous offensive security tooling and how organizations' own transparency policies may factor into threat actor targeting.

McKinsey has not confirmed, denied, or responded to CodeWall's claims

This disclosure comes from a single source: CodeWall's own research writeup published via a low-trust aggregator. Without independent verification or a McKinsey response, the full scope and accuracy of the alleged breach remain unconfirmed.