· 18 wire drops in the last hour
DTWdailytechwire
Tech Intelligence, Wired Daily
Subscribe
Policy

When a Zero-Day Becomes an Exit Liability

Apple's lawsuit against a former engineer reveals how an unpatched authentication flaw let a departing employee access internal systems weeks after joining OpenAI - and the decommissioning gaps that made it possible.

AS
Arjun S. Mehta
Staff Writer · Singapore
Jul 14, 2026
6 min read
When a Zero-Day Becomes an Exit Liability
When a Zero-Day Becomes an Exit LiabilityCredit: Image Credits: Bryce Durbin / TechCrunch

The Breach That Started After Employment Ended

A system electrical engineer named Chang Liu left Apple in early 2026 to join OpenAI. Weeks later, he allegedly discovered something unusual: he could still reach Apple's network storage, a cloud repository holding engineering files, project documentation, and specifications for unreleased products. Instead of reporting the access, Apple claims, Liu downloaded dozens of confidential hardware files over several weeks while working at his new employer.

The access stemmed from what Apple describes as a "rare, previously unknown authentication bug" that the company has since patched. In its complaint filed in the U.S. District Court for the Northern District of California, Apple classifies the flaw as a zero-day vulnerability, one that gave the company no advance warning before exploitation. Server logs reviewed by Apple suggest Liu was the only person who took advantage of the bug, though the flaw could theoretically have allowed "a few other" individuals to access internal data.

At DailyTechWire, we've tracked a growing number of lawsuits and incident disclosures tied to employee offboarding failures across the tech sector. This case stands out because it combines two distinct security problems: an unpatched authentication weakness and an incomplete decommissioning process that left a former employee's credentials and hardware in play.

What an Authentication Bug Actually Means

Apple has not disclosed technical details of the vulnerability Liu allegedly exploited. Authentication bugs generally fall into a few categories: flaws in how login mechanisms verify identity, misconfigurations that grant excessive permissions, or failures to revoke credentials when an employee departs. In enterprise environments, these bugs can allow access even after formal termination procedures are completed, especially when systems rely on separate credential stores or federated identity platforms that do not sync termination events in real time.

The fact that Apple labels this a zero-day indicates the flaw was previously unknown to the company's security teams. Zero-days are prized by attackers precisely because defenders have no patch available. In this instance, however, the alleged exploitation was not by an external adversary but by someone who once held legitimate access and retained the tools and knowledge to reach internal systems.

Liu allegedly used an Apple-issued work laptop he had not returned after leaving. That device, according to the complaint, was once configured to send and receive files from Apple's internal network. When asked to return the laptop, Liu claimed to have "another computer." The combination of retained hardware, lingering credentials, and an unpatched authentication flaw created a window of access that persisted well beyond Liu's last day at Apple.

The Offboarding Gap

Corporate offboarding procedures are designed to cut access immediately. In practice, they often fail. Employees may retain VPN clients, remote-viewing applications, or authentication tokens that continue to work if backend systems do not revoke them properly. In distributed environments with multiple identity providers, cloud services, and legacy on-premises systems, ensuring that every access point is closed can be difficult.

Apple's complaint does not specify when the company decommissioned Liu's credentials. The timeline matters. If access was revoked on his departure date but the authentication bug allowed him to bypass that revocation, the flaw is the primary issue. If credentials were never fully revoked, the gap lies in process. Either way, the result was the same: an employee who no longer worked at Apple could reach sensitive engineering data weeks after joining a competitor.

The complaint also alleges that Liu misused the access of Yu-Ting Peng, an acquaintance who was still employed at Apple and later joined OpenAI. Liu allegedly used Peng's Apple-issued laptop while she remained an active employee and he did not. This suggests a second vector of access, one that relied on social proximity rather than technical exploitation.

What Liu Allegedly Downloaded

Apple claims Liu took "dozens of Apple's confidential hardware-related files" containing detailed information about unreleased products, engineering presentations, technical specifications, and proprietary project data. The complaint does not name the products or projects involved. Given Liu's role as a system electrical engineer, the files likely concerned chip design, power management, or hardware integration for future devices.

In February 2026, Liu allegedly attempted to access Apple's network storage and discovered he still had access. According to the complaint, he wrote to Peng: "LOL, I found out I can access the [network storage], so funny." The message suggests Liu was aware the access was improper but chose not to report it. Under his employment agreement, Apple argues, Liu was obligated to disclose security vulnerabilities and return company property. He did neither.

Apple also claims Liu failed to delete the program that allowed network access. The complaint does not identify the application, but many employees use VPN clients or remote desktop tools approved by their employers. If such a tool remained installed on Liu's retained laptop and his credentials had not been revoked, access would have been straightforward.

The Broader Context of Apple vs. OpenAI

The lawsuit against Liu is part of a larger complaint Apple filed against OpenAI, alleging trade secret theft and efforts to recruit former Apple employees with the intent of obtaining proprietary information. OpenAI has stated it has "no interest in other companies' trade secrets." The case, if it proceeds to trial, could begin later this year. Apple is demanding a jury trial.

The timing is significant. OpenAI has been hiring aggressively across hardware, machine learning infrastructure, and chip design as it builds out its own compute capabilities and explores custom silicon. Apple, meanwhile, has invested heavily in its own AI roadmap, integrating models into iOS, macOS, and future product lines. The two companies are not direct competitors in most markets, but they compete for talent and, increasingly, for control over the AI stack from chip to inference.

Employee mobility between Apple and OpenAI has been high. Engineers with expertise in low-level hardware, custom accelerators, and power-efficient inference are in demand. That mobility creates risk. When employees move between rivals, the line between retained knowledge and stolen data can blur. This case alleges that line was crossed, not through memory or general expertise, but through deliberate access to files after employment ended.

Why Decommissioning Remains Hard

Organizations often assume that terminating an employee's account on their last day is sufficient. In reality, access can persist through cached credentials, shared accounts, OAuth tokens, API keys embedded in scripts, or devices that authenticate independently. Cloud environments complicate the picture further. If an employee's laptop has synced credentials to a cloud identity provider and those credentials are not revoked at the provider level, access may continue.

Apple's infrastructure is known for tight access controls and segmentation, but no system is immune to edge cases. The authentication bug Liu allegedly exploited suggests a gap in how Apple's network storage validated credentials, possibly in how it handled tokens or session persistence. The fact that Apple fixed the bug after discovering the breach indicates the flaw was reproducible and addressable, but it also raises questions about how long the vulnerability existed and whether it was exploited by others.

The case also highlights the risk of retained hardware. If an employee keeps a company-issued laptop and that device has cached credentials or pre-configured access tools, it becomes a vector for unauthorized access. Some companies remotely wipe devices or require physical return before final paychecks are issued. Others rely on trust. The complaint suggests Apple's process in this instance left room for abuse.

What Comes Next

Apple has not disclosed whether it has informed other employees who may have had access to the same network storage during the period the bug existed. If the flaw allowed broader access, the company may face questions about notification obligations under various data protection regimes, though internal engineering files are not subject to the same disclosure requirements as customer data.

The lawsuit will likely turn on two questions: whether Liu knowingly exploited the bug, and whether the files he allegedly took constitute trade secrets under California law. Apple will need to show that the information was not generally known, that it derived economic value from secrecy, and that it took reasonable steps to protect it. Liu's alleged message to Peng, in which he acknowledged improper access with a laugh, may become a key piece of evidence.

For other companies, the case is a reminder that offboarding is not just an HR process. It is a security event. Every departing employee represents a potential vector for data loss, whether through malice, negligence, or unpatched bugs that persist beyond termination. The intersection of those risks, as Apple's complaint illustrates, can be costly.

Read next
Policy

AI Boom Reshapes Japan's Topix as Memory Chipmakers Crowd Out Smaller Stocks

Kenji Watanabe · 5 min
Policy

Home Routers Remain Prime Target in Persistent FSB Infrastructure Campaign

Arjun S. Mehta · 4 min
Policy

Japan Targets 10,000 Autonomous Vehicles by 2030 with Nationwide Network Plan

Kenji Watanabe · 4 min
Spot something wrong? Email corrections@dailytechwire.com. We log every correction publicly.