An AI Agent Broke Into McKinsey’s Internal Chatbot and Accessed Millions of Records in Just 2 Hours

The rapid adoption of generative‑AI tools inside large enterprises has created a new attack surface that traditional security teams are still learning to defend. Firms such as McKinsey have embedded internal chatbots like Lilli to streamline strategy work, while red‑team outfits are deploying autonomous AI agents to probe those systems. CodeWall’s experiment illustrates how an AI‑driven adversary can scan public documentation, enumerate endpoints, and launch exploits without human intervention. This shift from manual pen‑testing to self‑learning agents accelerates discovery of hidden flaws and forces organizations to rethink threat modeling.

Within two hours the autonomous agent gained full read‑and‑write privileges on Lilli’s backend, extracting 46.5 million chatbot exchanges and 728 000 client‑related files. The breach hinged on 22 API endpoints that required no authentication, one of which logged user queries, effectively exposing the entire conversational history. Because the attacker could also modify system prompts, the vulnerability opened the door to subtle data poisoning—altering the advice delivered to consultants without triggering conventional alerts. The scale of exposed data underscores how a single mis‑configured API can jeopardize millions of confidential records.

The incident sends a clear signal to consulting firms and any organization that relies on internal AI assistants: API hygiene and zero‑trust controls are no longer optional. Continuous monitoring of endpoint exposure, strict authentication, and immutable logging must be baked into AI platform design. Moreover, the ability to write to prompt libraries demands robust integrity checks to prevent covert manipulation of model behavior. As autonomous AI agents become more prevalent in both offensive and defensive cyber operations, enterprises will need dedicated AI‑security teams to safeguard the very data that fuels their competitive advantage.