728 x 90

Apple says former employee exploited ‘rare’ bug to download sensitive files after leaving OpenAI | TechCrunch

Apple says former employee exploited ‘rare’ bug to download sensitive files after leaving OpenAI | TechCrunch

On Friday, Apple released the explosive news that it was suing OpenAI for alleged theft of trade secrets, alleging that OpenAI stole confidential Apple data and engaged in efforts to learn proprietary information while recruiting former Apple employees. Accusing OpenAI of stealing secrets about unreleased Apple products, Apple revealed that a former employee allegedly diverted

On Friday, Apple released the explosive news that it was suing OpenAI for alleged theft of trade secrets, alleging that OpenAI stole confidential Apple data and engaged in efforts to learn proprietary information while recruiting former Apple employees.

Accusing OpenAI of stealing secrets about unreleased Apple products, Apple revealed that a former employee allegedly diverted a large number of sensitive files from the company’s shared network folders, weeks after leaving Apple to work at OpenAI.

In its complaint, Apple says the former employee, an electrical systems engineer named Chang Liu, allegedly “took advantage of a rare and previously unknown authentication error” that allowed access to the company’s network. The bug is classified as a zero-day vulnerability, meaning Apple didn’t have time to fix it before it was supposedly exploited.

Apple has since fixed the bug and said it terminated the employee’s access once it learned of this “security breach.” In its complaint, Apple said the bug could have allowed “some other” people to access data on its network, but alleged that only Liu took advantage of the bug to steal sensitive Apple information when he was no longer an employee, citing a check of its server logs.

The disclosure, while light on details, highlights the challenges organizations face in protecting sensitive corporate data after employees no longer work there. Companies often take steps to immediately cut off access to departing staff to protect any sensitive information from leaving, even inadvertently. Companies that do not completely dismantle their employees’ accounts may face future security breaches, data breaches, or malicious actions by disgruntled staff.

Apple spokespersons did not respond to an email from TechCrunch with questions about the security vulnerability, how it was exploited and when the company removed the employee’s credentials.

“Haha… how funny.”

In the complaint, Apple alleged that Liu took “dozens of confidential files related to Apple hardware” over several weeks while he was a new OpenAI employee.

Apple said the files contained “detailed information on unreleased products, engineering presentations, technical specifications, and proprietary project data.”

The company claims that Liu did not return the Apple-issued work laptop that he had previously used to access Apple’s network, suggesting that he was once able to send and receive files from Apple’s internal systems. The complaint said Liu allegedly claimed to have “another computer.” While at OpenAI, Liu also allegedly misused the access of an acquaintance, Yu-Ting Peng, a then-Apple employee who later went to work for OpenAI. Liu allegedly used Peng’s work laptop provided by Apple “while she was still employed at Apple and he was not.”

Apple said that during February 2026, Liu “attempted to access Apple’s network storage, a cloud-based file repository containing confidential engineering files, project documentation, and other proprietary information of Apple.”

Liu had allegedly discovered that he “could still access Apple’s network repository after leaving Apple, as a result of a then-unknown authentication vulnerability.”

Apple did not describe the authentication “error” that Liu allegedly used to access Apple’s network. However, authentication errors generally refer to flaws in the login process that allow inappropriate access to systems or data, either due to a weakness in the operation of the login mechanism or due to misconfiguration, such as overly broad permissions or failing to dismantle a former employee’s login credentials.

Apple wrote in its complaint that when Liu learned that he had unauthorized access to Apple systems, he did not report the error to Apple in accordance with his obligations in the employment agreement, nor did he return his work laptop provided by Apple.

The complaint adds that Liu also failed to “remove the program that allowed access” to Apple’s network. The company did not say what program or app Liu allegedly used to access Apple systems. It’s not uncommon for employees to have tools, such as a work-approved VPN or remote viewing app, that allow them to access sensitive data from outside the company offices using their credentials.

Since Liu was previously granted credentials to Apple’s network as an employee, TechCrunch asked Apple when the company terminated Liu’s access, but did not receive a response.

Once Liu supposedly gained access to the network share, he wrote to Peng: “LOL, I found out that I can access the [network storage]very funny.”

Apple filed its lawsuit in the United States District Court for the Northern District of California in San Jose and demanded a jury trial. OpenAI previously said it “has no interest in other companies’ trade secrets.”

The case, if it proceeds, could begin this year.

When you buy through links in our articles, we may earn a small commission. This does not affect our editorial independence.

For more tech updates, stay tuned to our blog.

Posts Carousel

Latest Posts

Top Authors

Most Commented

Featured Videos