Apple sues ex-employee for stealing secrets with a security flaw after joining OpenAI
Apple just accused a former engineer of exploiting a rare authentication bug to access its internal files for weeks after leaving for OpenAI. The company says Chang Liu downloaded dozens of confidential documents about unreleased products, engineering plans, and proprietary tech using a vulnerability Apple didn’t even know existed.
According to the lawsuit, Liu discovered he could still log into Apple’s network storage after switching jobs. Instead of reporting the issue, he allegedly used it to pull files, even borrowing a current Apple employee’s work laptop to expand his access. Messages cited in the complaint show Liu joking about his continued access, calling it “so funny.”
Apple claims it has since fixed the bug and confirmed Liu was the only one who abused it. The company also notes Liu never returned his Apple-issued laptop, which may have helped him maintain access. OpenAI has stated it has no interest in other companies’ trade secrets.
This case highlights a growing problem for tech giants as top talent jumps between rivals. Companies often revoke access immediately when employees leave, but overlooked credentials or unknown bugs can leave doors open. With AI competition heating up, the stakes for protecting unreleased tech are higher than ever.
You should care because this isn’t just about corporate espionage between Apple and OpenAI. It’s a reminder that even the biggest companies struggle to lock down their data, and the tools employees use daily can become security risks if not properly managed. The lawsuit also raises questions about how strictly companies police their own networks when former staff move to competitors.
Next, watch for OpenAI’s formal response and whether this case exposes broader security gaps at Apple or similar companies. If the bug was truly unknown, other former employees might have had the same access without anyone noticing.
Did Apple drop the ball on security, or is this an isolated incident with one bad actor?
How should companies balance quick access revocation with the risk of overlooking vulnerabilities?
Filed under: Apple, OpenAI, TechSecurity, DataBreach, CorporateEspionage
Comments
Post a Comment