OpenAI has reported a security incident that came from its third-party analytics vendor, Mixpanel. The issue began when an attacker gained unauthorized access to part of Mixpanel’s systems on November 9, 2025. Mixpanel later shared the affected dataset with OpenAI on November 25. After reviewing it, OpenAI confirmed that some API customer data was included.
OpenAI made it clear that its own systems were not breached in this incident. No ChatGPT conversations, API usage data, passwords, API keys, or payment details were exposed. The data involved was limited and came only from Mixpanel’s environment. This means regular ChatGPT users and core OpenAI services were completely unaffected.
The dataset mainly contained basic identifying information such as names and email addresses of some API users. It also included approximate location details based on browser metadata. Along with that, device and browser information like operating system and browser type appeared in the dataset. Some organization or user IDs linked to API accounts were also part of the exposure.
OpenAI stated that only a portion of API users were affected by this breach. These users are generally developers or companies that use OpenAI’s API platform. None of the conversations or activities of ChatGPT consumer users were touched. OpenAI is notifying everyone whose information was included in the Mixpanel export.
Right after learning about the situation, OpenAI removed Mixpanel from all production systems. The company also started a detailed review of the exposed information. It began informing impacted organizations and users individually. At the same time, OpenAI expanded security checks across all external vendors.
OpenAI’s investigation found no evidence that the breach extended beyond Mixpanel’s systems. There were no signs of unauthorized access to any other OpenAI data or internal tools. Even though the exposed details were limited, OpenAI is still monitoring the situation closely. The company continues to work with Mixpanel to ensure the issue is fully contained.
Although the leaked information was not highly sensitive, there is still some risk. OpenAI warned that attackers may try phishing or trick users with fake emails. Such attempts might misuse names and email addresses obtained from the dataset. Because of this, affected API users are advised to stay alert and verify unexpected messages.
To stay protected, OpenAI recommends enabling multi-factor authentication on all accounts. Users should avoid sharing credentials through email or any untrusted source. In summary, the breach came from Mixpanel and not from OpenAI’s own systems. Critical data remains safe, and OpenAI is taking strong steps to protect users going forward.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
