A lapse in the security of several of Intel’s internal portals led to one of the most serious leaks the company has reported in recent years. According to research by Eaton Works, more than 270,000 Intel employees were exposed along with sensitive supplier information.
What happened with Intel’s portals?
Four internal web applications were discovered with critical flaws that allowed anyone with basic knowledge to access internal data without authorization. Among the issues identified were:
- Client-side authentication bypasses (it was enough to modify the JavaScript to get in).
- Credentials hardcoded in the code for accessing internal services.
- Missing server-side validation, which allowed token forgery.
- Exposed API keys and GitHub access in product management systems.
These oversights enabled a researcher to download complete databases of employees and suppliers, without needing to crack complex encryptions or exploit sophisticated vulnerabilities.
Hierarchy Owner (Source: Cyber Security News)
Examples of the most severe breaches
One of the most striking cases was a portal for Intel India employees to request business cards. Just a small change in the site’s code allowed bypassing Microsoft Azure corporate login.
Once inside, there was an open API that generated valid tokens and allowed access to the full employee database. The result: a nearly 1 GB file with names, roles, emails, phone numbers, and Intel’s internal hierarchy worldwide.
In another portal, dedicated to product management, passwords were found encrypted with an absurdly weak AES key: 1234567890123456. They could be decrypted in minutes, giving access to the same employee database.
And in the Supplier EHS IP Management System (SEIMS), designed to handle suppliers and NDAs, the flaw was even more ridiculous: the backend accepted the string “Not Autorized” (yes, misspelled) as a valid token. With that, confidential supplier and intellectual property data could be accessed.
Encryption (Source: Cyber Security News)
How did Intel respond?
The researcher reported the flaws in October 2024 under Intel’s bug bounty program. However, the company’s policy does not reward bugs in its web infrastructure, so he only received an automated response.
On the positive side, Intel fixed all the flaws before the 90-day disclosure deadline. On the negative side, the scale of the leak had already exposed hundreds of thousands of employees and their strategic partners.
Email response (Source: Cyber Security News)
Learn more: Data Leak at McDonald's: Chatbot Exposes Password “123456”
Lessons from this case
Even though direct financial data such as social security numbers or salaries were not leaked, the exposure of personal and corporate information at this scale is a stark reminder that even tech giants can make basic security mistakes.
At TecnetOne, we say it clearly: no matter the size of your company, neglecting internal application security can have disastrous consequences. Proper server-side validation, secure credential management, and continuous monitoring are not optional — they’re essential.