On Friday, Apple dismissed the bombshell news that it was suing OpenAI for allegedly stealing trade secrets, claiming that OpenAI stole Apple’s confidential data and engaged in efforts to learn proprietary information while recruiting former Apple employees.
Accusing OpenAI of stealing secrets about unreleased Apple products, Apple has revealed that a former employee allegedly seized bundles of sensitive files from the company’s shared network folders, weeks after he left Apple for a job at OpenAI.
In his complaintApple says the former employee, an electrical systems engineer named Chang Liu, allegedly “exploited a rare, previously unknown authentication flaw” that allowed access to the company’s network. The bug is classified as a zero-day vulnerability, meaning Apple didn’t have time to patch it before it was allegedly exploited.
Apple has since fixed the bug and said it terminated the employee’s access upon learning of this “security breach.” In its complaint, Apple said the flaw could have allowed “few other” people to access data on its network, but claimed that only Liu exploited the flaw to steal Apple’s confidential information while he was no longer an employee, citing a review of its server logs.
The disclosure, while light on details, highlights the challenges organizations face in protecting sensitive corporate data after employees no longer work there. Companies often move to immediately cut off departing staff from further access to protect any sensitive information from leaving, including involuntarily. Companies that fail to fully decommission their employee accounts may face future security breaches, data breaches, or malicious actions by disgruntled staff.
Apple representatives did not respond to an email from TechCrunch with questions about the security vulnerability, how it was exploited and when the company decommissioned the employee’s credentials.
“LOL… so funny.”
In the complaint, Apple alleged that Liu obtained “dozens of confidential files related to Apple hardware” over the course of several weeks while he was a new employee of OpenAI.
Apple said the files contained “detailed information about unreleased products, engineering presentations, technical specifications and proprietary project data.”
The company alleges Liu failed to return the Apple-issued work laptop he had previously used to access Apple’s network, suggesting he was once able to send and receive files from Apple’s internal systems. The complaint said Liu claimed he had “another computer.” While at OpenAI, Liu allegedly abused the access of an acquaintance of his, Yu-Ting Peng, a then-Apple employee who later went to work for OpenAI. Liu allegedly used Peng’s Apple-issued work laptop “while she was still working at Apple and he was not.”
Apple said that in February 2026, Liu “attempted to access Apple’s network storage — a cloud-based file repository containing Apple’s confidential engineering files, project documentation and other proprietary information.”
Liu reportedly discovered that he “was still able to access Apple’s network repository after he left Apple as a result of a then-unknown authentication vulnerability.”
Apple did not describe the authentication “bug” Liu allegedly used to gain access to Apple’s network. However, authentication errors generally refer to flaws in the login process that allow inappropriate access to systems or data, either due to a weakness in the way the login mechanism works or due to misconfiguration, such as over-broad permissions or failure to decommission a former employee’s login credentials.
Apple wrote in its complaint that when Liu learned he had unauthorized access to Apple’s systems, he did not report the error to Apple in accordance with his employment contract obligations, nor did he return the Apple-issued work laptop.
The complaint added that Liu also failed to “delete the program that allowed access” to Apple’s network. The company did not say what program or application Liu allegedly used to access Apple’s systems. It’s not uncommon for employees to have tools, such as a work-sanctioned VPN or a remote viewing application, that allow them to access sensitive data outside of company offices using their credentials.
Since Liu had previously been granted credentials to Apple’s network as an employee, TechCrunch asked Apple when the company decommissioned Liu’s access, but we did not receive a response.
Once Liu allegedly gained access to the shared network, he wrote to Peng: “LOL, I found out that I can access the [network storage]so funny.”
Apple filed its lawsuit in the US District Court for the Northern District of California in San Jose and requested a jury trial. OpenAI said before “He has no interest in the trade secrets of other companies.”
The case, if it moves forward, could begin this year.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
