Technology & AI

Apple says ex-employee used ‘rare’ bug to download confidential files after leaving OpenAI

On Friday, Apple dropped a hotly contested lawsuit against OpenAI over alleged theft of trade secrets, saying OpenAI stole Apple’s confidential data and engaged in efforts to learn proprietary information while hiring former Apple employees.

In accusing OpenAI of stealing secrets about undeveloped Apple products, Apple revealed that a former employee was accused of capturing sensitive files from the company’s shared network folders, weeks after he left Apple to work at OpenAI.

In its complaint, Apple says the former employee, an electrical systems engineer named Chang Liu, allegedly “exploited a rare, previously unknown authentication bug” that allowed access to the company’s network. The bug is described as a zero-day vulnerability, meaning that Apple did not have time to fix it before it was said to have been exploited.

Apple has since fixed the bug and said it terminated the employee’s access when it learned of this “security breach.” In its complaint, Apple said the bug could have allowed “a few other people” to access data on its network, but they alleged that only Liu used the bug to steal Apple’s confidential information while he was no longer an employee, citing a check of his server logs.

The disclosure, while illuminating in detail, highlights the challenges organizations face in protecting sensitive business data after employees leave. Companies often move to quickly cut off departing employees from further access to protect any sensitive information from exiting, including indirect ones. Companies that fail to fully deactivate their employees’ accounts may face future security breaches, data breaches, or malicious actions by disgruntled employees.

Apple spokespeople did not respond to an email from TechCrunch with questions about the security vulnerability, how it was exploited, and when the company revoked the employee’s credentials.

“LOL… so funny.”

In the complaint, Apple alleged that Liu took “a large number of confidential files related to Apple hardware” over the course of several weeks when he was a new employee of OpenAI.

Apple said the files contained “detailed information on unreleased products, engineering presentations, technical specifications, and proprietary project data.”

The company says Liu failed to recover an Apple-issued work laptop he used to access Apple’s network, suggesting it was once able to send and receive files on Apple’s internal systems. The complaint said Liu allegedly claimed to have “another computer.” While at OpenAI, Liu allegedly abused the access of an acquaintance, Yu-Ting Peng, a then-Apple employee who later worked for OpenAI. Liu allegedly used Peng’s Apple-issued work laptop “while she was still working at Apple and he was not.”

Apple said that in February 2026, Liu “attempted to access Apple’s network storage – a cloud-based file storage that contains confidential Apple developer files, project documents, and other proprietary information.”

Liu is said to have discovered that he “still had access to Apple’s network cache after leaving Apple, which was the result of an authentication vulnerability that was unknown at the time.”

Apple did not explain the authentication “bug” that Liu allegedly used to access Apple’s network. However, authentication errors usually refer to errors in the login process that allow incorrect access to systems or data, due to weaknesses in the way the login works or due to poor configuration, such as overbroad permissions or not revoking the login authorization of a previous employee.

Apple wrote in its complaint that when Liu learned that he had unauthorized access to Apple’s systems, he did not report the error to Apple under his obligations under the employment agreement, and he did not return his work laptop issued by Apple.

The complaint added that Liu also failed to “remove the program that allowed access” to Apple’s network. The company did not say what program or operating system Liu allegedly used to access Apple’s systems. It’s not uncommon for employees to have tools, such as a work-approved VPN or remote viewing application, that allow them to access sensitive data from outside the company’s offices using their credentials.

Given that Liu was given credentials on Apple’s network as an employee, TechCrunch asked Apple when the company revoked Liu’s access, but we have not heard back.

When Liu was able to access the network, he wrote to Peng: “LOL, I found that I can access [network storage]it’s funny.”

Apple filed its lawsuit in the US District Court for the Northern District of California in San Jose, and has sought a trial. OpenAI has previously said it “doesn’t care about other companies’ trade secrets.”

The trial, if it continues, could begin this year.

If you shop through links in our articles, we may earn a small commission. This does not affect our editorial independence.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button