The McKinsey AI Breach Isn't About SQL Injection. It's About Writable System Prompts.

A red-team security startup reportedly gained read-write access to McKinsey's internal AI chatbot platform, Lilli, in about two hours. The agent accessed tens of millions of messages and, more critically, could modify the system prompts that steer the entire application's behavior. No deployment needed. No code change. Just an HTTP request with an UPDATE statement. To be clear: this was a controlled red-team engagement by CodeWall, not a malicious breach. But the vulnerability pattern it exposed applies to every organization running LLM-powered applications in production. And the real lesson isn't the SQL injection that got them in. It's what they could do once they were there. Why This Is Bigger Than a Database Vulnerability The initial foothold was classic application security. Publicly exposed API documentation described unauthenticated endpoints. One of those endpoints was vulnerable to SQL injection. That gave the researchers direct database access, including read and write operat