OpenAI has publicly disclosed a security incident involving a data breach at Mixpanel, a third-party analytics provider previously used by the company for monitoring usage on its API platform.
The breach exposed limited but sensitive user information, including names, email addresses, operating system details, and browser metadata.
According to OpenAI, the incident originated within Mixpanel’s infrastructure and did not involve any attack or breach of OpenAI’s own systems.
On November 9, 2025, Mixpanel detected unauthorized access to a portion of its environment and uncovered that an attacker had exported a dataset containing customer-identifiable analytics data.
Mixpanel notified OpenAI about the breach and, by November 25, 2025, shared the specific dataset affected.
The affected data was tied exclusively to users of OpenAI’s API product via the platform.openai.com frontend interface. ChatGPT users and other OpenAI services were not impacted by this event.
OpenAI emphasized that the compromise did not include chat records, API usage data, passwords, credentials, API keys, payment information, or government-issued identity documents.
What Data Was Exposed?
The information potentially exposed in this incident included:
| Field | Details |
|---|---|
| Name | The name provided by the user on their API account |
| Email Address | Email tied to the API account |
| Approximate Location | City, state, country (based on browser geolocation) |
| Operating System and Browser | Used to access the API account |
| Referring Websites | URLs directing users to the API platform |
| Organization or User IDs | Metadata assigned to API accounts |
OpenAI clarified that although the breach included personal and system details, highly sensitive data such as credentials, passwords, or financial information were not part of the export.
OpenAI’s Response and Next Steps
Following notification from Mixpanel, OpenAI swiftly removed all Mixpanel analytics integrations from its production services and conducted an internal review of the affected datasets.
The company states it is working closely with Mixpanel to assess the breach’s scope and impact fully and is notifying all impacted organizations, admins, and users directly.
Additionally, OpenAI has decided to permanently discontinue its use of Mixpanel and is conducting expanded security reviews across its vendor ecosystem, with increased security requirements for all third-party vendors going forward.
OpenAI urges affected users to remain vigilant for phishing or social engineering attacks that could exploit the exposed data. Anyone who receives an unexpected email or message should:
- Treat unsolicited communications cautiously, especially those containing links or attachments.
- Verify the sender’s domain to ensure messages claiming to be from OpenAI are legitimate.
- Remember that OpenAI will never ask for passwords, API keys, or verification codes through email, text, or chat.
- Activate multi-factor authentication for added account security.
OpenAI reaffirmed its commitment to transparency and security, emphasizing that user trust is foundational to its mission. The company pledged to communicate openly regarding security issues and to hold partners and vendors to rigorous security standards.
The incident serves as a reminder of the risks posed by third-party service providers and highlights the importance of continuous security reviews and strong vendor management practices in safeguarding user data.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.