AI Agent Hacks McKinsey
3 days ago
- #SQL Injection
- #AI Security
- #McKinsey
- McKinsey's AI platform, Lilli, was hacked by an autonomous offensive agent without credentials or insider knowledge.
- The agent gained full read and write access to the production database within 2 hours.
- A SQL injection vulnerability was found in an unprotected API endpoint, allowing access to 46.5 million chat messages and sensitive documents.
- The database contained 57,000 user accounts, 384,000 AI assistants, and 94,000 workspaces.
- System prompts controlling AI behavior were accessible, posing risks of poisoned advice and data exfiltration.
- The vulnerability was disclosed responsibly, and McKinsey patched the issues promptly.