How SQL Injection Breached McKinsey's Lilli AI Platform: 46.5 Million Messages Exposed
On February 28, 2026, a security company called CodeWall pointed an autonomous offensive AI agent at the open internet and let it choose a target. It picked McKinsey & Company's Lilli — the consulting firm's internal AI platform used by more than 43,000 employees worldwide.
Two hours later, the agent had full read and write access to Lilli's production database.
The damage surface: 46.5 million chat messages, 728,000 files, 57,000 user accounts, and 95 system prompts that governed how the AI behaved for every user. And the vulnerability that made it all possible? SQL injection — a bug class that's been documented since the 1990s.
What Is Lilli, and Why Did It Matter?
McKinsey launched Lilli in 2023, naming the platform after Lillian Dombrowski, the firm's first professional female hire in 1945. By the time of the breach, over 70% of McKinsey's workforce used it daily. The platform indexed more than 728,000 internal documents and ran retrieval-augmented generation (RAG) over decades of proprietary research, processing upwards of 500,000 prompts per month.
Lilli wasn't just a chatbot. Its database held user data alongside AI configuration — system prompts, RAG knowledge bases, and behavioral guardrails. Anyone with write access to that database could silently alter how the AI responded to every employee across the firm.
That distinction is what separates this from a conventional breach. A traditional database compromise steals data. An AI platform breach can corrupt the advice that thousands of professionals rely on — without leaving a trace in application logs.
How the Attack Unfolded
CodeWall's autonomous agent followed a methodical, three-step process — standard in structure, but executed at machine speed.
Step 1: Mapping the attack surface
The agent discovered that Lilli's API documentation was publicly accessible, revealing more than 200 endpoints. Of those, 22 required no authentication whatsoever. One of those unauthenticated endpoints accepted user search queries and wrote them directly to the database.
Step 2: Finding the injection point
The search endpoint had parameterized its query values correctly — the standard defense against SQL injection. But the JSON keys (the field names themselves) were concatenated directly into the SQL query without sanitization.
When the agent sent malformed key names, the database reflected them verbatim in its error messages. That reflection was all the agent needed. In just 15 blind iterations, it refined its injections, extracting progressively more data from each error response until production records started flowing back.
This is a pattern most automated security scanners miss entirely. Tools like OWASP ZAP check for injection in values, not in key names. The vulnerability sat in a blind spot.
Step 3: Chaining with IDOR
Once inside, the agent combined the SQL injection with an Insecure Direct Object Reference (IDOR) vulnerability. This allowed it to access individual user records by incrementing IDs, exposing each employee's search history and revealing what McKinsey's consultants were actively researching.
Together, these two vulnerabilities gave the agent unrestricted read-and-write access to the entire production database.
What Was Exposed
The scope of the breach was substantial:
- 46.5 million chat messages
- 728,000 files (Excel, PowerPoint, PDF, Word)
- 57,000 user accounts
- 95 system prompts
- 3.68 million RAG document chunks
- 94,000 AI workspaces
The 3.68 million RAG chunks represent McKinsey's intellectual foundation — proprietary frameworks, internal research, and client-engagement methodologies built over decades. Each chunk came with its S3 storage path and internal metadata intact, meaning an attacker would know exactly where the original documents lived.
The 95 system prompts contained the AI's behavioral rules: how to answer questions, which guardrails to enforce, and how to cite sources. They were stored in the same database as everything else, protected by the same (absent) authentication.
Why System Prompt Access Changes Everything
In a traditional application, database write access has a bounded impact. An attacker who can write to a users table can create accounts or change passwords. An attacker who can write to a sessions table can hijack logins. Serious, but scoped.
When an AI platform stores its behavioral configuration in a SQL database, write access takes on a different dimension entirely.
Consider what becomes possible: modify a system prompt to suppress certain response types, and the AI silently stops providing them. Add an instruction to include a specific URL in every financial recommendation, and the AI will do it reliably for every consultant who asks. Change the citation behavior, and years of accumulated professional trust in the system start pointing wherever the attacker wants.
None of these changes appear in a traditional audit trail. No code changed. No deployment happened. The application is behaving exactly as designed — it reads its instructions from the database and follows them. The instructions just aren't the original ones anymore.
This isn't hypothetical. The McKinsey breach demonstrated that production AI systems at major enterprises are storing behavioral configuration alongside user data in standard relational databases, behind the same authentication (or lack of it) that protects everything else.
The Broader Pattern
This is the third major incident in recent months where an API security failure in an AI system led to consequences well beyond a typical data breach. In each case — including reported distillation attacks and session takeover incidents at other firms — the underlying vulnerability wasn't novel. What was new was what those vulnerabilities enabled in an AI-specific context.
SQL injection remains one of the most frequently detected threat types across monitored APIs, decades after the exploit class was first documented. Enterprises building AI-native systems are deploying them with the same security debt that plagued their pre-AI APIs, plus entirely new attack surfaces — system prompts, RAG pipelines, model parameters — that traditional security tooling was never built to monitor.
McKinsey's Response
CodeWall sent its disclosure email to McKinsey's security team on March 1, 2026. The CISO acknowledged receipt and requested detailed evidence the following day. Patches for the unauthenticated endpoints were deployed shortly after, the development environment was taken offline, and public API documentation was restricted.
McKinsey stated there was no evidence that unauthorized parties had accessed client data.
What This Means for Anyone Building AI Platforms
The McKinsey breach will be categorized as an "enterprise AI security incident" in most analyses, but the root cause is older and simpler than that framing suggests.
A production system had 22 endpoints that skipped authentication. One of those endpoints had a SQL injection flaw in a place that scanners don't typically check. The database it connected to also held the AI system's behavioral configuration.
Three priorities stand out for teams building or operating AI platforms:
First, enforce authentication everywhere. Twenty-two unauthenticated endpoints in a system handling confidential data is a governance failure that any API inventory review would surface. Every endpoint needs authentication — no exceptions.
Second, separate AI configuration from user data. System prompts, RAG settings, and model parameters should not live in the same database as user records. They need stricter write controls and dedicated change logging.
Third, monitor API behavior in production. The blind SQL injection generated a distinctive pattern — 15 iterative requests to the same endpoint, each with modified key names, each producing error responses. That sequence doesn't look like legitimate user behavior. Sequential ID-based requests across user accounts (the IDOR exploitation) produce equally recognizable access patterns. Detection in production gives you a second line of defense when static analysis and scanners miss something.
The lesson from this breach is uncomfortable in its simplicity: if your AI platform stores its configuration in a relational database — and most do — then your AI security posture is only as strong as your database security. It's an old problem with entirely new consequences.
Our Youtube Videos
Hathr.AI is the fastest, safest way to handle sensitive medical records with HIPAA-compliant artificial intelligence. In this demo, watch how you can:✅ Summarize a patient’s medical record ✅ Generate an AI-assisted treatment plan ✅ Write a letter to the patient in plain English ✅ Suggest CPT billing codes ✅ Draft an insurance appeal for a denied claim ✅ Evaluate the case for potential malpractice — all in under 5 minutes.The only AI tool hosted in AWS GovCloud and Powered by Claude 4.0 Sonnet, Hathr.AI is trusted by hundreds of practices that need speed, security, and compliance.Learn more: hathr.ai For healthcare teams: hathr.ai/healthcare Reach out to learn more: contact@hathr.ai
#HIPAACompliantAI#ArtificialIntelligenceInMedicine#HealthcareAI#MedicalBillingAI#AIForDoctors#HIPAAAI#MedicalRecords#AIInHealthcare
Description
As Hathr.AI, we are dedicated to providing a private, secure, and HIPAA-compliant AI solution that prioritizes your data privacy while delivering cutting-edge technology for enterprises and healthcare professionals alike.
In this video, we’ll dive deep into the growing concerns around data privacy with AI tools—especially in light of recent revelations about Microsoft’s Word and Excel AI features. These new features have raised alarm over data scraping practices, where user data could be used without clear consent, leaving individuals and organizations exposed to potential privacy breaches. What makes this especially concerning is the "opt-in by default" design, which could lead to unintended data sharing.
In contrast, Hathr.AI ensures that your data stays yours. With a firm commitment to HIPAA compliance, we take the protection of sensitive healthcare data to the highest level. Our platform is built with the understanding that privacy is not an afterthought but a fundamental pillar of our design. We don’t collect, store, or sell user data, and we employ state-of-the-art encryption, secure access protocols, and clear user consent processes to keep you in full control.
We’ll also touch on why Hathr.AI, powered by advanced LLM (Large Language Models) like Claude AI, offers a secure and private alternative for businesses looking to leverage AI technology without compromising sensitive information. While some AI tools may collect or expose data through ambiguous or hard-to-find opt-out settings, Hathr.AI puts transparency and security at the forefront, offering peace of mind in an era of increasing digital vulnerability.
If you’re concerned about your privacy or looking for a HIPAA-compliant AI solution that respects your data, Hathr.AI provides the robust security, transparency, and ethical design that you need.
Key Points:
- HIPAA Compliant AI: Built for healthcare professionals, ensuring compliance with privacy regulations.
- Privacy-first: No data scraping, no data selling, full user control over information.
- Claude AI: Secure, powerful LLM tools for advanced capabilities without compromising security.
- Data Transparency: Say goodbye to hidden opt-in/opt-out toggles—Hathr.AI gives you clear, easy-to-understand privacy settings.
Tune in to learn how Hathr.AI ensures your AI tools remain private, secure, and trustworthy, while still delivering the performance and accuracy you need to thrive in a fast-evolving digital landscape.
Don't forget to like, comment, and subscribe for more insights on secure AI solutions and how to protect your organization from emerging privacy risks!
Description
Discover how Hathr AI's advanced AI tools transform federal acquisition processes with unparalleled security and efficiency. Designed for government professionals, this video showcases Hathr AI’s capabilities, including secure AI data analysis, HIPAA-compliant tools, and AWS GovCloud integration, to help streamline decision-making and document management. Perfect for agencies seeking private, compliant, and powerful AI solutions, Hathr.AI delivers tools tailored for healthcare and government needs.
Key Topics Covered:
AI-driven data analysis for governmentHIPAA-compliant, secure AI tools for federal agencies
Private deployment options with AWS GovCloud
Learn more about Hathr AI’s secure, high-performance solutions at hathr.ai and transform your agency’s acquisition process with cutting-edge AI.
Description
Discover how Hathr.AI simplifies NSF grant evaluations with advanced AI-driven compliance and proposal review tools. This video showcases Hathr.AI’s capability to streamline grant compliance checks, enhance accuracy, and save time for evaluators and applicants alike. Ideal for research institutions, government agencies, and proposal writers, Hathr.AI offers secure, HIPAA-compliant AI solutions tailored to meet the complex requirements of NSF and other grant processes.Highlights:AI-powered compliance checks for NSF grant proposalsFast, accurate, and secure evaluations with Hathr.AITailored solutions for research, government, and healthcareOptimize your grant proposal process with Hathr.AI's private, secure AI tools. Learn more at hathr.ai and transform how you handle grant evaluations and compliance.
Description
Join Hathr.AI at the Defense Information Systems Agency (DISA) Technical Exchange Meeting to explore innovative AI solutions tailored for federal and defense applications. In this session, we highlight Hathr.AI's secure, private AI tools designed for efficient data handling, HIPAA compliance, and seamless integration within government systems, including AWS GovCloud. Perfect for agencies seeking reliable AI for data analysis, document summarization, and secure decision-making, Hathr.AI provides cutting-edge technology for defense and healthcare needs.Highlights:AI tools for federal and defense data managementSecure, HIPAA-compliant AI solutions with AWS GovCloudEnhancing operational efficiency with private AI deploymentsDiscover how Hathr.AI's solutions empower government and defense agencies to stay at the forefront of innovation. Visit https://hathr.ai to learn more about our services.
Latest insights and trends
AI Healthcare Solutions: How a HIPAA Compliant LLM can Revolutionize your practice
DeepSeek AI: Interesting Methods, Dangerous Product
Challenges Finding Compliant AI: ChatGPT is Watching You
