The company has publicly revealed a security incident involving Mixpanel, a third-party analytics provider previously used to monitor activity on platform.openai.com, the frontend for its API product.
The company emphasized transparency in its announcement, assuring users that the breach did not compromise OpenAI’s own systems, chat content, API keys, passwords, credentials, or payment information.
On November 9, 2025, Mixpanel detected unauthorized access to a portion of its systems. The attacker exported an analytics dataset that included identifiable information of some OpenAI API users.
Investigation Findings
Mixpanel notified OpenAI about the situation, and OpenAI launched an internal investigation. On November 25, 2025, Mixpanel confirmed the details of the affected dataset with OpenAI.
Notably, only users of the API platform (platform.openai.com) were potentially impacted. Those who use ChatGPT or other OpenAI products were not affected.
The incident involved the following information: Name provided on the OpenAI API account, Email address, Approximate location (city, state, country) based on browser info.
Operating system and browser used, Referring websites, Organization or user IDs linked to the account. There was no exposure of chat or API content, passwords, payment details, or government IDs.
OpenAI’s Response
After learning about the incident, OpenAI removed Mixpanel from its production environment and performed a thorough review of the affected datasets.
They are directly notifying all organizations, administrators, and users who may have been impacted.
OpenAI stated they found no evidence that any data beyond Mixpanel’s systems was affected, but they are actively monitoring for any misuse.
OpenAI has ended its engagement with Mixpanel and is conducting additional security reviews with all vendor partners, raising its security standards across the board.
Users should remain alert to potential phishing or social engineering attempts, especially given the involvement of information such as names and email addresses.
Be cautious with unexpected emails or messages, especially those containing links or attachments. Ensure any communications claiming to be from OpenAI come from official domains.
OpenAI will never request your password, API key, or verification code through email or chat. For added protection, enable multi-factor authentication (MFA) on your OpenAI account.
OpenAI reaffirmed its dedication to privacy, security, and transparency as it continues to communicate openly about such incidents.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
