CodeWall, an AI penetration testing firm, reports that its autonomous agent breached Bain & Company’s Pyxis competitive intelligence platform in 18 minutes on April 13. Bain confirmed to the Financial Times that it resolved the vulnerability on April 13 with external cybersecurity support — the platform is no longer at risk. The agent found a username and password hardcoded in a publicly accessible JavaScript file, authenticated into the production environment, and accessed nearly 10,000 AI-driven conversations between Bain staff and clients from consumer food brands querying competitors’ market data.

This is the third Big Three consulting firm CodeWall has breached since March, following McKinsey and BCG.

How the Agent Got In

According to CodeWall’s technical writeup, the agent started with nothing but Bain’s company name. It mapped the firm’s external infrastructure, found hundreds of subdomains, and identified Pyxis as the weak point. The credential was a service account email and password embedded in a JavaScript bundle served as part of the Pyxis website. No brute force, no social engineering, no zero-day exploit.

“The credential had probably been sitting there for months,” CodeWall wrote. “It took less time to find than most people spend eating lunch.”

Once inside, the agent discovered an API endpoint accepting raw SQL payloads that reflected results through error messages, giving it direct database access. The service account behind the injection had read-write access across 11 databases with hundreds of permissions and roles.

What Was Exposed

The breach exposed 159 billion rows of sanitized consumer transaction data sourced from major data providers, including pseudonymized user IDs, zip codes, income bands, merchant details, and order totals. Client names mapped to database schemas containing the data assets Bain built for each company.

The 9,989 AI conversations included external client staff from multiple Pyxis clients. CodeWall provided redacted examples: employees from major consumer food brands asking Pyxis about competitors’ average order values, customer attrition, and category market share.

Beyond the data, the agent identified persistence and escalation paths. A GraphQL API endpoint allowed arbitrary account creation and direct Okta directory modification without additional authentication, meaning an attacker could embed themselves in Bain’s identity infrastructure even after the initial credential was rotated. The platform’s activity log contained 36,869 complete JWT tokens with 365-day expiry and no multi-factor authentication, each paired with an employee email.

Bain’s Response

Bain told the Financial Times it resolved the issue quickly with external cybersecurity support and that Pyxis operates independently of its core client systems. The firm disputed CodeWall’s characterization of the breach’s scope, according to Rankiteo’s analysis.

BCG, breached earlier this month, confirmed its issue was remediated within hours and affected only an isolated data warehouse with anonymized, public data.

Three for Three

The pattern across all three breaches is consistent: CodeWall’s agent chains actions across tools, follows instructions, and operates across API layers in ways that bypass traditional authentication boundaries. Each breach started from a public-facing surface and escalated through credential mismanagement and overly permissive service accounts.

As Alltoc noted, most organizations treat internal AI platforms as secure behind corporate authentication. Agentic behavior, where software chains tasks and operates across tool-calling layers, expands the attack surface beyond what traditional perimeter defenses are designed to handle.

CodeWall founder Paul Price targeted the Big Three specifically because of their high-profile AI initiatives, Rankiteo reported. Bain has partnered with Andrew Ng and Palantir to expand AI advisory services. BCG projects 40% of its 2026 revenue from AI-related work.

The Credential Problem at Scale

The finding that none of the three most prestigious consulting firms caught hardcoded credentials in production code raises a structural question for every organization deploying AI tools internally. CodeWall’s point is blunt: these firms run regular penetration tests costing hundreds of thousands of dollars annually, and none of them caught what an autonomous agent found in minutes.

For any team deploying internal AI platforms with tool integrations, MCP connections, or external data access, the CodeWall series demonstrates that the attack surface is the full chain of agent-accessible resources, not just the authentication layer at the front door.