Autonomous AI Agent Breaches McKinsey’s Lilli Platform

An autonomous security agent from CodeWall breached McKinsey's internal AI platform, Lilli, by exploiting a simple SQL injection in an unauthenticated API. The attack exposed millions of confidential chat messages and proprietary documents while revealing a critical vulnerability in the platform's prompt layer. This incident demonstrates that AI-driven offensive tools can rapidly dismantle the security of even the most prestigious and well-resourced organizations.

Key Points

An autonomous AI agent discovered a critical SQL injection vulnerability in McKinsey's Lilli platform that traditional security tools missed.
The breach exposed massive amounts of proprietary data, including decades of research, millions of internal chats, and hundreds of thousands of confidential documents.
Attackers with write access could manipulate 'system prompts,' silently altering the AI's logic to provide poisoned advice or bypass safety guardrails.
The incident underscores that even well-resourced organizations are vulnerable to AI-driven attacks that chain multiple minor flaws into a devastating compromise.
Prompts and RAG knowledge bases have become the new 'Crown Jewel' assets that require the same level of security as traditional code and servers.

Sentiment

The community broadly agrees with the article's conclusion that enterprise AI security is inadequate, but largely rejects the framing that this represents a novel AI-specific breakthrough. HN is united in schadenfreude toward McKinsey, critical of the AI-generated writing, and genuinely concerned about the system prompt write-access vulnerability — but finds the SQL injection itself unremarkable. The discussion is more hostile to McKinsey's culture and brand than to the overall premise of AI-assisted pentesting.

In Agreement

The speed of compromise — full database access in two hours with no credentials — highlights how dangerously under-secured enterprise AI platforms can be.
Write access to system prompts is a uniquely alarming attack surface: a single UPDATE statement could have silently poisoned the strategic advice delivered to tens of thousands of consultants with no deployment, no code review, and no logs.
AI agents do represent a genuinely new class of security tooling that can find subtle vulnerabilities (like unsanitized JSON key names) that traditional scanners miss.
Enterprises are deploying AI platforms without adapting their security models, treating RAG systems like standard SaaS rather than as autonomous systems with different threat profiles.
The autonomous selection of McKinsey as a target by the AI agent itself — based on their public responsible disclosure policy — illustrates that AI-driven attacker autonomy is already operational.

Opposed

The core vulnerability was a textbook SQL injection, not a novel AI-specific attack; framing it as a breakthrough in agentic hacking is overselling what is fundamentally old-school security negligence.
McKinsey's claim to 'world-class technology teams' in the article is mocked by insiders, who describe a culture that structurally punishes software quality and long-term maintenance.
The blog post itself being AI-generated undermines credibility; the CodeWall founder confirmed an LLM wrote the factual content, leading some to flag it as unreliable and question whether inaccuracies went unchecked.
CodeWall is a brand-new, unknown company with no public track record, making independent verification of the breach difficult until The Register obtained McKinsey's confirmation.
Operating a security agent with 'no human in the loop' against live production systems is ethically questionable, even when done under responsible disclosure norms.