"LOL, So Funny": Why Bad Security Led to Apple Suing OpenAI
An engineer kept his access for weeks after quitting. AI agents will make this a hundred times worse.
If you’re going to steal trade secrets from the most secretive company on earth, maybe don’t text “LOL, I found out I can access the [network storage], so funny” to a friend who still works there. Especially not from an Apple-issued laptop that Apple has been asking you to return for weeks. According to the lawsuit Apple filed on Friday, that is exactly what one of OpenAI’s hardware engineers did.
Apple sued OpenAI because a now-OpenAI engineer still had access to Apple corporate information and was downloading stuff. This probably happens in the thousands across all companies. And, it’s only getting more dangerous. AI agents can exploit access like never before.
This prominent Apple lawsuit made me dig a bit deeper into this case study and there are some learnings here. I read the 41-page complaint this weekend and it was one of the more head-scratching lawsuits I have heard about. The quoted messages read like teenagers passing notes, except the notes sat on Apple-issued laptops and the subject was unreleased iPhone hardware.
Here is the TLDR. Chang Liu spent 8 years as an iPhone engineer. He resigned on January 22, 2026 to join OpenAI and kept an Apple laptop. On February 9 he discovered that, thanks to an authentication bug, his access to Apple’s internal file storage still worked. He allegedly downloaded dozens of confidential files about unreleased products, including a compilation of technical documents over a thousand pages long, all while building hardware at OpenAI. Yu-Ting “Alyssa” Peng was Liu’s friend and still a full Apple engineer during all of this. Liu allegedly sent her links to Apple’s proprietary folders, coached her on copying files “to avoid trouble with the security team,” and told her which confidential material to study for her OpenAI interview. When he shared his “LOL” discovery, her reply was “I’m ready.” She joined OpenAI in April. Apple found all of it months later, through its own investigation. The case is Apple Inc. v. Liu, and Liu is the first named defendant, listed ahead of OpenAI itself.
Everything about Liu and Peng is allegation, not proven fact. But strip away the gossip and there are three distinct problems in this story:
A) A person who left still had access. For weeks.
B) Two ordinary engineer logins could reach incredibly confidential data. Over a thousand pages of unreleased product engineering.
C) AI agents will make this 100x worse.
Let’s take them in order.
Case Documents
A) The leaver who never left
Liu handed in his resignation and walked out with a laptop Apple’s network still trusted. Apple chased him about returning devices and got silence. Eighteen days later, his access still worked. That is an offboarding failure, and it is the root cause of part of the case.
Here is the twist that makes offboarding harder in the agent era: it is becoming harder to offboard everything that belongs to departed employees. The service accounts they created, the API keys they minted, the agents they set up running under custom credentials, all of it keeps working after the goodbye party. Liu kept a laptop. The next Liu leaves behind an agent that keeps acting as him long after his badge is dead.
B) One login, a thousand pages
It would be easy to file this whole story under “poor offboarding” and move on. But Peng was a fully employed Apple engineer the entire time she was allegedly receiving links to proprietary folders and downloading files. From the system’s point of view, an employee opened folders she was allowed to open. There was nothing to flag.
Which brings us to the number nobody measures: how much can one login actually reach? Access accumulates like house keys. You join a team and get a key, then help on a project and pick up another one, and after 8 years you carry a keychain the size of a fist. Nobody collects keys back, because revoking access might block someone’s work and no one wants to be that person. At Apple, per the complaint, one engineer’s keychain included over a thousand pages of unreleased product engineering. Frankly, most companies couldn’t even measure that number for their own people if they tried.
C) Agents make it 100x worse
Liu allegedly needed weeks for all of this. He browsed folders, picked out the valuable files, sent Peng directions to specific project directories. Finding the crown jewels inside a giant repository takes time and know-how, and that effort has quietly been the last line of defense at most companies. The data was reachable, but somebody had to go dig.
AI agents delete that effort. Every company is wiring AI assistants into Google Workspace and Microsoft 365 through connectors (MCPs) that let an agent read whatever the logged-in user can read. Any legitimate login can now be turned into a vacuum cleaner, and the whole exploit fits in one sentence: “Look through everything I can access with the Google MCP and find the most confidential files.” The agent comes back in minutes with what took Liu weeks of evenings. It works the same for a disgruntled employee as for a hacker with a stolen login. And soon it will work for a company’s own agents, the moment one gets compromised or pointed at the wrong goal.
I wrote earlier this year about why attackers running fleets of agents changes the math for defenders. Your own agents are part of that math too, because they multiply whatever access model you already have. My honest prediction: we will see breaches like this constantly over the next few months, and the Liu case will look quaint in hindsight. He did it by hand, and he had to ask a friend which folders were worth reading.
Why nobody has solved this yet
Access management is super, super hard. In my opinion, the fellowing are the deep problems underneath this case, and agents make almost every one of them worse:
Access piles up and nobody takes it back. Every job change adds keys. Revoking might break something, so no one does.
Nobody can measure what one login can reach. Not which apps, but which folders, repos, and admin rights.
A legitimate insider looks like anyone doing their job. Peng opened folders she was allowed to open. There was nothing to flag.
Offboarding ends the job, not the access. Liu kept his logins for weeks. And nobody knows what else was his: the service accounts and keys he created might have stayed alive after his account died.
Anything wired to your account gets everything you have. Liu still had to dig by hand. An AI connector hands the whole keychain to whatever asks, and there is no way today to grant just the slice a task needs.
Logs will say the human did it. The moment agents act on people’s credentials, the Peng problem gets worse: you can’t flag misuse you can’t even attribute. Security teams ask us versions of this constantly (”the GitHub logs say it’s our employee, how do we know it wasn’t an agent?”).
Where this goes
The court will decide what Chang Liu did or didn’t do. The broader point is that the stakes of identity and access management are about to go through the roof. When a login can be turned into a vacuum cleaner with one prompt, companies will need to think about three things more deeply:
You can see what any identity can reach. One live map of every login, key, and agent, down to folders and admin rights. The number Apple got from legal discovery should come from an “always-on” system.
Access expires by default. Grants dissolve unless someone re-justifies them, so the keychain shrinks on its own instead of growing.
Agents defend you. Attackers already run fleets. The only defense that prevents access abuse is your own fleet of agents, watching every identity continuously.
This is exactly what we are tackling at Lumos. If identity in the agent era concerns you (or fascinates you), email me at andrej@lumos.com or find me on LinkedIn. I’d love to compare notes.
Andrej


