A security researcher discovered multiple flaws in Intel’s internal systems that allowed the exfiltration of sensitive data for roughly 270,000 employees. Eaton Zveare says he accessed four vulnerable services, collected a nearly 1GB JSON file containing employee records, and spent months notifying Intel and urging fixes. The episode ended, he says, with a single automated “Thank You !” email and no immediate engagement from the company’s bug bounty program.
How the Researcher Discovered the Exposure
Zveare first found the problem on Intel’s corporate business-card ordering site used in India. An unauthenticated API call returned far more data than expected.
“It gave me a nearly 1GB JSON file. This file contained the details of every Intel employee. Through 1 API request, I just exfiltrated a wealth of detailed information,” Zveare wrote on LinkedIn.
He then probed other internal web apps. In total he identified four independent vulnerabilities that, combined, exposed information for more than 270,000 Intel employees and workers. In some cases the issues were bypasses of client-side protections. In others they were hardcoded or plainly visible secrets.
Four Vulnerable Systems and What They Exposed
Zveare’s report describes four distinct systems that leaked data or contained weak controls.
Business Card Ordering Site (India)
A client-side JavaScript redirect was bypassed by modifying a function to return a non-empty array. That allowed access to an unauthenticated API that returned a large JSON payload. The sample included employee names, roles, manager names, phone numbers, and mailbox addresses. Zveare posted a screenshot that included the profile of former CEO Pat Gelsinger.
Hierarchy Management Website
This internal site used client-side encryption with a hardcoded key. Zveare said the “encryption is 100% pointless” because the key and mechanism were present in client code, making it trivial to decrypt stored passwords. The decrypted admin credential used obvious sequences such as “123…” and “abc…”. That hardcoded credential granted administrative access and exposed internal organizational data, and Zveare says it included references to unreleased product information.
Product Onboarding Portal
Credentials for multiple APIs were stored in plain text inside JavaScript comments. Zveare reported finding a misplaced encrypted GitHub personal access token and other secrets. The portal is used to upload product metadata, and the discovered comments and tokens could have enabled broader access to product resources.
SEIMS (Supplier EHS IP Management System)
The supplier-facing system’s corporate login was compromised through the same pattern of client-side weaknesses and exposed employee records. With additional client-side modifications, Zveare said full access to supplier documents was possible, including product reports and nondisclosure agreements.
Across these systems, the exposed material varied but included employee contact details, organizational roles, and records tied to suppliers and products. Zveare emphasized that while he did not find salary or Social Security numbers in the sample, the scope of the employee data leak was still significant.
Timeline of Disclosure and Intel’s Response
Zveare followed a responsible disclosure path and reported the first vulnerability on October 14, 2024. His initial submission to Intel generated an automated reply that read simply, “Thank You !” and stated the issue fell outside the web infrastructure scope of Intel’s then-active bug bounty program.
He reported additional flaws on October 29 and November 12, 2024, and sent multiple follow-up messages urging credential rotation and remediation. According to Zveare, significant fixes arrived about 90 days after the initial report. On February 28, 2025, he notified Intel of his intent to publish the findings, but he delayed public disclosure and released the full report on August 18, 2025.
Zveare contrasted payouts for hardware bugs with the apparent silence around web bugs. He noted that hardware vulnerabilities can earn large bounties — sometimes up to $100,000 — while website and API issues historically went into a “black-hole inbox.” He also observed that Intel has recently expanded its bug bounty coverage to include more services.
Researcher Observations and Public Notes
In his write-up, Zveare highlighted how trivial client-side modifications and hardcoded secrets enabled broad access. He described the experience as “a one-way black hole,” referring to the limited response after disclosure.
“There were not 1, not 2, but 4 vulnerabilities that allowed me exfiltrate sensitive information about more than 270k Intel employees/workers,” he wrote, describing creative JavaScript patching used to break into internal sites.
He also declined to test certain potentially sensitive tokens or take actions that would have crossed legal or ethical boundaries. Instead, he shared samples and documentation with Intel and waited for remediation.
What the Incident Means for Enterprise Security Teams
The Intel data exposure centers on common enterprise security failures: unauthenticated APIs, client-side trust, and hardcoded credentials. The case illustrates how a chain of modest weaknesses across internal systems can yield a large employee data leak. Zveare’s disclosures prompted remediation, and the researcher reports that some issues were resolved after repeated reporting.
Intel has not provided a public, detailed timeline of mitigations beyond the company’s general vulnerability handling policies, and it did not immediately respond to requests for comment about the specific incidents described in Zveare’s report.
