OpenAI confirmed a third-party data breach via Mixpanel, exposing limited API user metadata like names, emails and browser info. OpenAI systems were not breached, and no passwords, API keys, chats or payment data were exposed.
OpenAI has confirmed a data breach involving Mixpanel, a third-party analytics tool it used to monitor API dashboard activity. This wasn’t a direct attack on OpenAI’s systems but a compromise of Mixpanel, where an attacker accessed and exported data linked to API users.
To be specific, this wasn’t about passwords, payment info or anything that gives direct access. What got taken was account metadata, the kind of stuff analytics tools collect by default, including:
- Name
- Email address
- Referring website
- City, state or country
- Internal user or org ID
- Browser and operating system
OpenAI responded by immediately removing Mixpanel from its production systems and launched a review to identify what was affected. It has since notified all impacted users. The company is also conducting a broader audit of its external vendors and has advised users to turn on multi-factor authentication and be cautious with unsolicited messages or phishing attempts.
It’s worth clarifying that regular ChatGPT users weren’t affected. The exposure was limited to those who interacted with OpenAI through its API platform.
Mixpanel confirmed that it had detected suspicious access on one of its service environments and that the attacker had exported data belonging to multiple customers, including OpenAI. The company says it has since resolved the vulnerability and engaged external security experts to investigate.
This kind of third-party breach is far from rare. Many companies rely on analytics providers, payment processors, and support platforms, each of which brings a certain level of risk. While no system is bulletproof, what matters is how companies react once something breaks. In this case, OpenAI took its vendor offline, dug through the damage, and notified those affected without delay.
The good news is that ChatGPT user data wasn’t affected, and OpenAI has already cut off the third-party vendor involved. The downside is that some data was stolen, and there’s a real chance it could be leaked or used in phishing attempts targeting those same users.
Therefore, be cautious with any emails claiming to be from OpenAI or Mixpanel, especially ones asking you to reset passwords or review security settings. It’s also a good time to enable two-factor authentication on both your OpenAI account and the email linked to it.