McKinsey Infiltrated: An Autonomous AI Targets the Internal Chatbot
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
A Rapid and Autonomous Infiltration of McKinsey's AI
In February 2026, McKinsey & Company, one of the most influential consulting firms in the world, was targeted by an attack orchestrated by an autonomous AI agent developed by the cybersecurity startup CodeWall. This agent successfully compromised McKinsey's internal AI platform, known as Lilli, by exploiting a SQL injection vulnerability. This intrusion allowed the agent to access a vast production database without requiring a password, internal complicity, or human intervention.
The attack was made public on March 9, 2026, after McKinsey had patched the vulnerabilities. Lilli, the targeted platform, was launched in 2023 to assist McKinsey consultants in analyzing documents and generating strategic recommendations. Used by over 70% of the firm's 43,000 employees, Lilli processes more than 500,000 queries per month, making it a prime target due to the sensitive strategic and financial information it handles.
CodeWall's AI Agent Targets McKinsey
CodeWall's AI agent chose McKinsey as its target due to two key factors: McKinsey's responsible disclosure policy, which permits this type of testing, and recent updates to Lilli that may have introduced new vulnerabilities. This autonomous attack demonstrated how an AI can identify and exploit vulnerabilities without direct human intervention.
The Course of the Autonomous Attack
In a blog post, CodeWall detailed the steps of the attack. The AI first mapped the elements accessible on the Internet, discovering that Lilli's technical documentation was publicly exposed. This documentation listed over 200 entry points into the system, of which 22 required no authentication.
One of these entry points allowed the recording of user searches in the database. By analyzing this point, the agent uncovered a flaw: the names of the fields used to identify the values entered by users were directly embedded in the SQL queries without prior validation.
This vulnerability enabled the agent to execute a SQL injection, inserting malicious commands into a legitimate query to interrogate the database. The agent multiplied its attempts, using error messages to gradually reconstruct the database structure and extract real data.
McKinsey's Reaction and Implications
According to CodeWall, the attack allowed access to 46.5 million chat messages, 728,000 internal files, 57,000 user accounts, as well as 95 prompt configurations controlling Lilli's behavior. The SQL injection also provided write access, which could have allowed modifications to Lilli's instructions.
CodeWall informed McKinsey of these findings on March 1, 2026. The following day, McKinsey patched the vulnerabilities, took its development environment offline, and blocked public access to the API documentation. The firm assured that no client data had been accessed or exfiltrated.
The CEO of CodeWall warned about the potential for such autonomous attacks to extend beyond the realm of cybersecurity research. He emphasized that hackers could use these technologies for targeted attacks, aiming for financial extortion or the dissemination of ransomware.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.