McKinsey’s internal chatbot, “Lilli,” faced a significant security breach, exposing over 46 million chat logs and 728,000 sensitive files to hackers. This vulnerability stemmed from 22 unauthenticated endpoints, including a SQL injection flaw. The incident was uncovered by Codewall, who used an AI security agent to expose McKinsey’s weaknesses, gaining access swiftly for minimal cost. The compromised data included proprietary research, frameworks, and methods, alongside 1.1 million files and extensive OpenAI interactions. Security expert Rajat Rai highlighted that the breach wasn’t just a data theft but posed a serious risk of trust poisoning. Codewall’s founder defended their ethical penetration testing, asserting that the vulnerability had been overlooked for years despite rigorous testing by McKinsey’s internal teams. In response, McKinsey affirmed their commitment to cybersecurity, stating that no client data was compromised and that they acted swiftly to rectify the issue. This incident underscores the emerging threats posed by AI in offensive cybersecurity.
Source link
