OpenAI experienced a security incident involving Mixpanel, one of its former analytics providers. In an announcement post, they detailed that limited user information linked to the platform.openai.com interface was exposed, and clarified that ChatGPT users were not affected, nor were OpenAI’s own systems involved.
According to OpenAI, the exposure was limited to analytics data stored in Mixpanel’s environment. No chat content, prompts, API usage logs, passwords, API keys, payment information, or government IDs were included.
Mixpanel identified unauthorized access to part of its infrastructure on November 9, 2025. During this period, an attacker exported a dataset that contained some analytics and profile information connected to OpenAI API accounts. Mixpanel shared the affected dataset with OpenAI on November 25 as part of its investigation.
The dataset included profile details associated with API users, including:
- Name provided on the account
- Email address
- Approximate location based on browser metadata
- Operating system and browser type
- Referring websites
- Organization or user identifiers
In response, OpenAI removed Mixpanel from production services, reviewed the data involved, and began notifying impacted organizations and individuals. The company reports no evidence of exposure beyond Mixpanel’s systems and continues to monitor for potential misuse. OpenAI has ended its use of Mixpanel and is conducting broader reviews of third-party vendors.
ChatGPT users were not affected, and no API requests, prompts, responses, usage data, passwords, credentials, financial information, or authentication tokens were exposed. Password or API key resets are not required.
OpenAI notes that exposed contact details could be used in phishing or social engineering attempts. Users should handle unexpected messages cautiously, verify that communications come from official OpenAI domains, avoid sharing credentials through email or chat, and enable multi-factor authentication for additional security.
Leave a Reply