Apple dropped a lawsuit against OpenAI last Friday, and the details are the kind of thing that makes every security engineer wince into their coffee. The allegation: a former Apple systems electrical engineer named Chang Liu walked out the door to join OpenAI, and then — weeks later, while already on OpenAI's payroll — kept downloading Apple's confidential engineering files through a bug he never bothered to report.
That's not a sophisticated nation-state attack. That's a badly decommissioned account and a guy who noticed the door was still open.
The "Rare Bug" That Wasn't Exactly Exotic
Apple's complaint describes the vulnerability as a "rare, previously unknown authentication bug" — which legally qualifies it as a zero-day, meaning Apple had no patch in place before it was allegedly exploited. But let's not let the legal framing obscure what authentication bugs actually are: flaws in the login process that let someone access systems they shouldn't. That could be a cryptographic weakness, a misconfiguration, or — the unglamorous classic — credentials that were never properly revoked.
Apple hasn't disclosed the technical specifics, and its spokespeople didn't respond to press questions about how the vulnerability worked or when exactly Liu's access was decommissioned. That silence is notable. If your authentication bug is truly exotic, you brag about having fixed it. If it's "we forgot to turn off his VPN credentials," you stay quiet and hope the legal language obscures the operational fumble.
According to Apple's complaint, Liu allegedly discovered he could still reach Apple's cloud-based network storage repository — a file share containing unreleased product specs, engineering presentations, and proprietary project data — and rather than report it as his employment agreement apparently required, he texted an acquaintance: "LOL, I found out I can access the [network storage], so funny."
To be fair to the zero-day framing: if the access persisted through a genuine authentication flaw rather than simply a forgotten credential, that's a real vulnerability. But Apple's refusal to clarify the distinction is doing a lot of heavy lifting in this complaint.
What Liu Actually Allegedly Took
Apple claims Liu downloaded "dozens of confidential hardware-related files" over several weeks while employed at OpenAI. The files allegedly included unreleased product details, technical specifications, and internal engineering documentation — exactly the kind of material that's valuable for competitive intelligence if you're trying to build hardware products that don't infringe on someone else's patents while also knowing exactly where the bodies are buried in their roadmap.
It gets messier. Apple claims Liu also never returned his Apple-issued work laptop — the device that had been configured to access Apple's internal systems. And when he allegedly needed additional reach into Apple's network, he reportedly used the laptop of Yu-Ting Peng, an acquaintance who was still an Apple employee at the time and has since also moved to OpenAI. Using someone else's credentialed device while you're an unauthorized former employee isn't a gray area; that's textbook unauthorized computer access.
The Uncomfortable Organizational Truth
Here's the part that gets buried under the legal drama: this is an incredibly common failure mode. The moment an employee badge stops working should be the same moment every token, certificate, VPN credential, and SSO session tied to that person gets invalidated. That's not aspirational security hygiene — it's table stakes. And yet, post-departure access lapses happen constantly, whether through authentication bugs, misconfigured identity providers, or just someone forgetting to click "deprovision" in the admin console.
Apple is a company with a security team that would make most organizations envious. If a zero-day authentication flaw enabled this access despite proper offboarding, that's genuinely alarming and worth the "rare bug" language. If the access persisted because the offboarding process had gaps, that's a different story — and one that reflects poorly on the controls, not just the vulnerability.
Either way, the outcome is the same: a former employee was allegedly walking Apple's network storage for weeks after leaving, and Apple's server logs are apparently how they figured it out retroactively. Not a real-time detection system. Logs. After the fact.
OpenAI's Position and What Comes Next
OpenAI has publicly stated it has "no interest in other companies' trade secrets," which is the kind of statement that sounds clean until a lawsuit forces discovery and you have to back it up with documentation. Whether OpenAI management was aware of what Liu allegedly brought with him — or whether this was a rogue individual action — will likely be central to how this case develops.
Apple filed in the U.S. District Court for the Northern District of California, has demanded a jury trial, and the case could potentially move to trial within the year. The stakes here extend well beyond two tech giants squabbling: if Apple can demonstrate that OpenAI benefited — even indirectly — from improperly obtained trade secrets, the legal and competitive consequences could be substantial.
For everyone else watching: audit your offboarding process. Right now. Seriously.
What is Apple accusing OpenAI of in its lawsuit?
Apple alleges that a former employee, Chang Liu, exploited an authentication vulnerability to download dozens of confidential hardware-related files after leaving Apple for a job at OpenAI, constituting trade secret theft.
What was the authentication bug Chang Liu allegedly used?
Apple describes it as a 'rare, previously unknown authentication bug' — legally a zero-day vulnerability — that allowed Liu to access Apple's cloud-based network storage after his employment ended. Apple has not disclosed the technical specifics.
Did OpenAI know about the alleged theft?
OpenAI has stated it has 'no interest in other companies' trade secrets,' but whether leadership was aware of what Liu allegedly brought with him remains a key question for the lawsuit's discovery process.
What data did Liu allegedly steal from Apple?
Apple claims Liu downloaded files containing details about unreleased products, engineering presentations, technical specifications, and proprietary project data over several weeks while employed at OpenAI.
Dispatch desk