On Friday, Apple dropped the surprise news that it had filed a lawsuit against OpenAI over the alleged theft of trade secrets, claiming that OpenAI stole confidential Apple data and engaged in efforts to learn proprietary information while employing former Apple employees.
In accusing OpenAI of stealing secrets about unreleased Apple products, Apple revealed that a former employee pulled large amounts of sensitive files from the company’s shared network folders, weeks after Apple left to work at OpenAI.
in Her complaintApple says the former employee, a system electrical engineer named Zhang Liu, allegedly “exploited a rare and previously unknown authentication bug” that allowed access to the company’s network. The bug was classified as a zero-day vulnerability, meaning Apple did not have time to fix it before it was exploited.
Apple has since fixed the flaw and said it terminated the employee’s access as soon as it learned of this “security breach.” Apple said in its complaint that the flaw could have allowed a small number of other people to access data on its network, but it claimed that only Liu exploited the flaw to steal confidential Apple information while he was no longer an employee, citing an examination of its server logs.
Although this revelation is light on details, it highlights the challenges organizations face in protecting sensitive company data after employees no longer work there. Companies often move to block departing employees from accessing any sensitive information immediately to protect any sensitive information from leaving, including inadvertently. Companies that fail to completely deactivate their employees’ accounts could face future security vulnerabilities, data breaches, or… Malicious actions by disgruntled employees.
Apple spokespeople did not respond to an email from TechCrunch including questions about the vulnerability, how it was exploited, and when the company revoked employee credentials.
“Haha… very funny.”
In the complaint, Apple alleged that Liu took “dozens of confidential files related to Apple devices” over the course of several weeks while he was a new employee at OpenAI.
Apple said the files contain “detailed information about unreleased products, engineering presentations, technical specifications, and proprietary project data.”
The company alleges that Liu failed to return an Apple-issued work laptop that he had previously used to access Apple’s network, suggesting that he had previously been able to send and receive files from Apple’s internal systems. Liu claimed to have “another computer,” the complaint said. While at OpenAI, Liu also allegedly abused the access of an acquaintance, Yu-Ting Peng, then an Apple employee who later went to work at OpenAI. Liu allegedly used Peng’s Apple-issued work laptop “while she was still working at Apple and he was not.”
Apple said that during February 2026, Liu “attempted to access Apple Network Storage — a cloud-based file repository containing Apple’s confidential engineering files, project documentation, and other proprietary information.”
Liu allegedly discovered that he “still had access to Apple’s network repository after leaving Apple, as a result of a then-unknown security vulnerability.”
Apple did not describe the authentication “bug” Liu allegedly used to access Apple’s network. However, authentication errors generally refer to flaws in the login process that allow improper access to systems or data, either due to a weakness in how the login mechanism works or due to misconfiguration, such as global permissions or not turning off a previous employee’s login credentials.
Apple wrote in its complaint that when Liu learned he had unauthorized access to Apple’s systems, he did not report the flaw to Apple under the obligations of his employment agreement, nor did he return his Apple-issued work laptop.
Liu also failed to “delete the software that allowed access” to Apple’s network, the complaint added. The company did not say what software or app Liu allegedly used to access Apple’s systems. It’s not uncommon for employees to have tools, such as a work-approved VPN or a remote viewing app, that allow them to access sensitive data from outside the company’s offices using their credentials.
Since Liu had previously been granted Apple Network credentials as an employee, TechCrunch asked Apple when the company turned off Liu’s access, but we didn’t hear back.
Once Liu gained access to the network share, he wrote to Peng: “LOL, I found out that I can access the network share.” [network storage]Very funny.”
Apple filed a lawsuit in the US District Court for the Northern District of California in San Jose, demanding a jury trial. OpenAI He said previously “It has no interest in the trade secrets of other companies.”
If the case continues, it could begin this year.
When you buy through links in our articles, we may earn a small commission. This does not affect our editorial independence.









