AI hacked McKinsey's internal tool, leaked sensitive data
An autonomous AI agent managed to break into McKinsey & Company's internal tool, Lilli, in less than 2 hours: no passwords, no inside help.
By finding unsecured API endpoints, the AI gained full read-and-write access to Lilli's production database.
Breach revealed confidential files, user accounts
The breach revealed 46.5 million chat messages, more than 700,000 confidential files, and tens of thousands of user accounts.
Even more concerning: the system prompts that guide how Lilli responds to consultants were left wide open for editing, meaning someone could have changed how the AI thinks and answers without leaving a trace.
McKinsey fixed the issue within hours
McKinsey says it fixed the issue within hours and found no sign that client data were taken.
Still, this incident is a wake-up call about how fast companies are rolling out AI tools without locking down sensitive data or double-checking who can change what behind the scenes.