A researcher uncovered massive Intel security flaws exposing 270,000 employee records. Intel fixed the issues, but refused bug bounty rewards or meaningful response.
A major data exposure affecting Intel workers worldwide was recently revealed by an independent security researcher. Eaton Z said flaws in several Intel websites allowed access to private details of more than 270,000 employees.
I am excited to share my latest research project I have dubbed the “Intel Outside” project. Last fall I discovered many critical vulnerabilities in Intel’s web infrastructure that allowed me to exfiltrate sensitive information about 270k Intel employees/workers, and more. pic.twitter.com/oRXiEP5mPn
— Eaton Z. (@XeEaton) August 18, 2025
The breach, which Eaton called the “Intel Outside” project, involved an internal site used by staff to order business cards. Weak login protections opened the door to Intel’s entire global employee directory.
Eaton explained that by modifying a simple JavaScript function, he could trick the system into treating him as a valid user. This bypass gave him access to restricted employee search tools.
From there, the researcher found an API token exposed to anonymous users. The token allowed deeper queries of Intel’s databases, returning far more information than the business card service should ever require.
By removing limits from the API, Eaton downloaded a massive file nearly one gigabyte in size. It contained names, job roles, phone numbers, mailing addresses, and manager details of employees worldwide.
“I was shocked at how much Intel left exposed,” Eaton wrote in his blog post. “This was way more information than an internal business card tool should ever display.”
The researcher first reported the flaws to Intel in October 2024. By February 28, 2025, he confirmed that Intel had patched all the issues he raised. Only then did he publish details.
While the business card portal drew the most attention, Eaton uncovered similar problems in three more Intel systems. Each could have exposed personal employee data with little effort from attackers.
On the “Product Hierarchy” website, Eaton found weakly encrypted hardcoded login credentials. Once decoded, these granted access to employee lists and the chance for administrator-level control of the system.
Intel’s “Product Onboarding” portal suffered from the same mistake. Again, decrypted credentials could unlock private information on staff. Eaton noted that both sites held far more data than necessary.
Another flaw was found on the SEIMS Supplier Site, which also had bypassable login protections. Like the others, it granted wide access to the details of Intel employees across the globe.
Together, these four separate weaknesses exposed one of the world’s biggest chipmakers to serious risk. All would have allowed an outsider to pull sensitive worker data without proper authorization.
Despite the scale of the exposure, Eaton received no payment through Intel’s bug bounty program. Intel’s policy excludes certain types of internal systems, meaning his reports did not qualify for rewards.
The researcher also criticized Intel’s lack of communication. He said he only received a single automated response after sending his detailed disclosures, with no personal reply from security staff.
“I spent months carefully reporting these flaws so Intel could protect its workers,” Eaton wrote. “To be brushed off with no engagement at all is frustrating.”
Intel has not issued a detailed public statement about the matter. The company has generally said it values security research, but offered no comment on why these cases did not qualify for recognition.
Security experts warn that exposing employee records puts workers at risk of targeted phishing, fraud, and harassment. Even basic details like phone numbers and mailing addresses can be abused when leaked.
Intel, already under pressure for past processor design vulnerabilities, now faces new questions about the strength of its internal systems. Some observers say the incident reflects a wider issue of corporate security neglect.
Eaton stressed that while the flaws are fixed, the incident should serve as a warning. “If I could find these gaps with little effort, others could have too,” he wrote.
The case also highlights ongoing debate over bug bounty programs. Many researchers argue that strict rules exclude real threats, reducing incentives for ethical disclosure and leaving serious holes without proper recognition.
For Intel workers, the incident shows how corporate mismanagement of digital tools can have personal consequences. Sensitive data was left open to anyone with minimal technical skill for months.
Eaton said he has now closed his “Intel Outside” project, satisfied that Intel patched the problems. But the episode raises larger questions about whether companies take employee data protection seriously.
