OpenAI has confirmed a security incident involving Mixpanel, a third-party web analytics provider it used for its API product frontend. The incident, which was a breach of Mixpanel’s systems and not OpenAI’s infrastructure, resulted in an attacker gaining unauthorised access to and exporting a dataset containing limited identifiable information of some OpenAI API users.
Mixpanel first became aware of an unauthorised intrusion into a portion of their systems. An attacker successfully exported a dataset containing customer identifiable and analytics information.
Mixpanel subsequently notified OpenAI, which utilised the provider for web analytics specifically on the frontend of its API product, platform.openai.com. The security incident did not affect users of ChatGPT or other OpenAI products. It was not a breach of OpenAI’s core systems; chat content, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs remain uncompromised.
Mixpanel shared the affected dataset with OpenAI on 25 November 2025, allowing the company to begin its own investigation and notification process.
Affected user information
The data exported from Mixpanel’s environment included limited user profile and analytics information associated with the use of the platform.openai.com interface. The affected information is restricted to:
-
Name provided to OpenAI on the API account.
-
Email address linked to the API account.
-
Coarse approximate location based on the user’s browser (city, state, country).
-
Operating system and browser used to access the API account.
-
Referring websites.
-
Organization or User IDs associated with the API account.
OpenAI’s response to the breach
OpenAI moved quickly to address the exposure. The company immediately removed Mixpanel from its production services following the security investigation.
After reviewing the affected datasets, OpenAI confirmed it terminated its use of Mixpanel. The company now focuses on notifying all impacted organisations, administrators, and individual users directly via email. OpenAI stated that while it found no evidence of misuse, it continues to monitor closely for any signs of related malicious activity.
Furthermore, the company announced it is conducting additional, expanded security reviews across its entire vendor ecosystem and is elevating security requirements for all third-party partners.
Actionable steps for impacted users
The exposed information, which includes names, email addresses, and API metadata, could potentially be leveraged in phishing or social engineering schemes targeting users or their organisations.
OpenAI encourages all API users to remain vigilant against suspicious communications:
-
Exercise Caution: Treat unexpected emails or messages with a high degree of suspicion, especially those containing links or file attachments.
-
Verify Official Domains: Double-check that any communication claiming to be from OpenAI originates from an official company domain.
-
Protect Credentials: Remember that OpenAI will never request passwords, API keys, or verification codes via email, text, or chat.
-
Enable Multi-Factor Authentication (MFA): While this incident did not expose credentials, enabling MFA remains a critical security control to protect accounts against unauthorized access. Organizations should enable MFA at the single sign-on layer.
OpenAI is not recommending users reset their passwords or rotate their API keys because the breach did not compromise these elements.
For further concern OpenAI has urgef users to contact their support team.
