An AI agent hacked McKinsey's internal AI platform in two hours using a decades-old technique

· Source: The Decoder · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Software Development & Engineering · Depth: Intermediate, short

Summary

Security firm Codewall utilized an AI agent to breach McKinsey's internal AI platform, Lilli, gaining full read and write access to its production database within two hours. The attack exploited a SQL injection vulnerability that traditional scanners failed to detect, specifically targeting JSON field names in API requests. This allowed the agent to extract 46.5 million chat messages, 728,000 files, and 57,000 user accounts. Critically, the system prompts controlling Lilli's behavior were stored in the same database, meaning an attacker could have silently manipulated the AI's responses for 43,000 users by rewriting prompts with a single UPDATE statement. The agent also accessed 3.68 million RAG document chunks, comprising McKinsey's proprietary knowledge base. McKinsey patched the system within a day of notification on March 1, and a forensic investigation found no evidence of client data access.

Key takeaway

For CTOs and VPs of Engineering deploying internal AI platforms, your security architecture must evolve beyond traditional perimeter defenses. You should immediately review how your AI system's prompts and RAG data are stored and accessed, ensuring they are isolated from general production databases. Prioritize specialized security testing that can detect non-traditional SQL injection vectors, as a decades-old vulnerability can now enable silent, widespread AI manipulation.

Key insights

Classic SQL injection vulnerabilities can enable silent, widespread AI system manipulation via prompt and RAG data access.

Principles

Method

An AI agent performed 15 blind iterations, extracting information from error messages to achieve full read/write access via SQL injection targeting JSON field names, not input values.

In practice

Topics

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, MLOps Engineer, Software Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by The Decoder.