McKinsey's AI agent "Lilli" hacked - by another AI agent - thestack.technology

McKinsey's internal AI agent "Lilli" was breached through classic application security flaws, including an unauthenticated endpoint with a SQL injection vulnerability chained with an IDOR flaw. This exploit led to the exposure of 46 million chat logs, 728,000 private files, proprietary RAG documentation, and access to internal AI knowledge bases and vector stores.