
Apple has accused a former engineer of exploiting a previously unknown authentication vulnerability to download dozens of confidential hardware-related files weeks after he joined rival OpenAI, according to a lawsuit filed in the U.S. District Court for the Northern District of California.
The complaint alleges that Chang Liu, a system electrical engineer who left Apple in early 2026 for OpenAI, discovered and weaponized a “rare, previously unknown authentication bug” to access Apple’s cloud-based file repository after his departure. The vulnerability, which Apple says has since been patched, allowed Liu to retrieve unreleased product specifications, engineering presentations, and proprietary project data throughout February 2026.
“LOL, I found out I can access the [network storage], so funny,” Liu wrote in a message to Yu-Ting Peng, a then-Apple employee who later also joined OpenAI, according to the filing.
Apple claims Liu did not report the bug, as required by his employment agreement, and failed to delete the access tool after his departure. The company also alleges that Liu did not return his Apple-issued laptop and used Peng’s work machine while she was still employed at Apple to continue accessing sensitive data.
The lawsuit underscores a growing tension between the two tech giants as OpenAI poaches talent from Apple’s hardware divisions. Apple is demanding a jury trial and has declined to comment on the technical details of the vulnerability or when Liu’s credentials were decommissioned.
OpenAI has previously stated it has “no interest in other companies’ trade secrets.” The company has not commented on the specific allegations in the suit.
The case highlights a persistent blind spot in corporate data security: the gap between an employee’s departure and the full deactivation of their access credentials. When combined with an unreported zero-day vulnerability in the authentication system, that gap becomes an open door.
Sources: Apple says former employee exploited ‘rare’ bug to download confidential files after leaving for OpenAI (TechCrunch, July 2026)

