Starting in September 2014, Lenovo shipped consumer laptops with pre-installed Superfish VisualDiscovery adware that intercepted all HTTPS traffic using a self-signed root certificate. This effectively broke the encryption of every secure website — banking, email, medical — enabling man-in-the-middle attacks. The same root certificate and weak private key were used on all affected PCs, meaning anyone who extracted the key could intercept any affected user's encrypted traffic. DHS issued an advisory to uninstall immediately.
“Lenovo is shipping laptops with pre-installed software that breaks HTTPS encryption on every website you visit. This is a manufacturer-level security compromise.”
From “crazy” to confirmed
The Claim Is Made
This is the moment they called it crazy.
When you buy a new computer, you expect it to work as advertised. You don't expect it to systematically intercept every secure message you send — your banking passwords, your medical records, your private emails — and leave those communications vulnerable to anyone with basic technical knowledge.
Yet that's exactly what Lenovo did to millions of customers starting in September 2014.
The Chinese computer manufacturer began pre-installing software called Superfish VisualDiscovery on consumer laptops. Officially, it was just a visual search tool designed to help users find similar images while shopping online. Lenovo presented it as a useful feature, bundled with the system so customers wouldn't have to download it themselves. Convenient, the company suggested. Value-added.
What Lenovo didn't adequately disclose was how Superfish worked. To intercept images across the web and perform its visual search function, the software had to position itself between your computer and every website you visited. It did this by installing a self-signed root certificate — essentially a digital key that allowed it to decrypt HTTPS encryption on any secure website.
HTTPS encryption is the lock-and-key system that protects your passwords, medical information, and financial data from being read in transit. It's the reason your banking website appears to be secure. Superfish was effectively opening that lock.
The problem went deeper than mere surveillance. Security researchers discovered that the same root certificate and its private key were hardcoded on all affected laptops. The private key — the crucial piece that should remain secret — was weak and easily extracted. Once researchers published how to do it, any attacker on the same network could theoretically intercept and decrypt the HTTPS traffic of any Superfish-infected machine. A man-in-the-middle attack became trivial.
Get the 5 biggest receipts every week, straight to your inbox — plus an exclusive PDF: The Top 10 Conspiracy Theories Proven True in 2025-2026. No spam. No agenda. Just the papers they couldn't hide.
You just read "Lenovo pre-installed 'Superfish' spyware on laptops that bro…". We send ones like this every week.
No one's said anything yet. Be the first to drop your take.
Confirmed: They Were Right
The truth comes out. Officially documented.
Confirmed: They Were Right
The truth comes out. Officially documented.
Lenovo's initial response minimized the issue. The company claimed Superfish was optional, though many users reported it came pre-installed. Lenovo also initially defended the software's security model, not fully acknowledging the cryptographic vulnerability.
Then the Department of Homeland Security issued an advisory. In February 2015, the Cybersecurity and Infrastructure Security Agency (CISA) recommended that users immediately uninstall Superfish, warning that it "potentially compromises the integrity of HTTPS traffic and sensitive information transmitted by the user." This wasn't speculation or theory — it was an official government assessment of the actual threat posed by software Lenovo had quietly installed on consumer machines.
What followed was a cascade of security researchers, journalists, and affected customers documenting the same vulnerability. Lenovo eventually pulled Superfish from new machines and offered removal tools, but the damage to trust was already done.
This wasn't a case of a security flaw that slipped through quality assurance. This was a business decision to monetize user behavior by intercepting their web traffic, implemented with cryptographic practices so poor that security professionals were stunned. Lenovo had knowingly accepted the security risks to earn money from targeted advertising.
It demonstrated that major corporations could compromise fundamental internet security with barely a whisper of disclosure. For those paying attention, it raised a lasting question: what other pre-installed software on your devices might be quietly intercepting your most sensitive communications?
Beat the odds
This had a 0% chance of leaking — someone talked anyway.
Conspirators
~150Network
Secret kept
0.5 years
Time to 95% exposure
500+ years
