OpenAI has confirmed a security incident involving a third-party analytics provider, Mixpanel, which resulted in the exposure of limited user data associated with its API platform. OpenAI stated that the incident did not affect its own systems or compromise user credentials, payment information, or API data.
Incident overview
The incident was related to unauthorised access to a dataset within Mixpanel’s systems. OpenAI reported that an attacker exported data containing certain identifiable information of API account users.
Details potentially exposed included names provided on API accounts, email addresses, approximate location information, operating system and browser details, referring websites, and the organisation or user IDs linked to the API accounts.
OpenAI emphasised that no chat logs, API requests, passwords, keys, payment details or sensitive identification documents were accessed. The data breach affected only information collected for analytics purposes through Mixpanel.
Security response
OpenAI has ended its use of Mixpanel in its production services and reviewed all datasets involved in the incident. The company stated that it has worked with Mixpanel and other partners to assess the scope of the breach and is communicating directly with organisations and users affected.
OpenAI said there is no evidence that the incident impacted any systems or information outside of Mixpanel’s environment. The company has nevertheless stated that it continues to monitor for potential misuse of the affected data.
OpenAI is carrying out expanded security audits across its entire vendor ecosystem and is raising security requirements for all third-party partners. OpenAI also stated that it will hold external vendors to higher security standards as part of its ongoing response.
User impact
Information potentially accessed through Mixpanel may expose users to an increased risk of phishing or social engineering attempts.
Names, email addresses, and user identifiers were among the details exposed. OpenAI has advised all customers and users to remain vigilant for any suspicious or unsolicited communications that could be related to this incident. The company reiterated that it does not request sensitive information such as passwords, API keys, or verification codes via email, text, or chat.
Users have also been encouraged to enable multi-factor authentication as an additional protective measure for their accounts.
Ongoing transparency
“Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel,” said OpenAI spokesperson.
