OpenAI disclosed on Thursday, November 27, that users of its API platform may have had their personal data – such as organisation or user IDs – exposed after hackers breached a third-party vendor that the AI startup was using for web analytics.
Data analytics provider Mixpanel suffered a data breach after an attacker gained unauthorised access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information, OpenAI said in a blog post.
The data breach took place on November 9, 2025. “Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us,” the ChatGPT-maker said.
It emphasised that OpenAI’s systems were not compromised in the attack. However, the account information of users registered on OpenAI’s API platform (platform.openai.com) was stolen by the hackers. This information includes API account user names, email addresses, operating system and browser details, organisation or user IDs associated with the API account, approximate coarse location based on API user browser (city, state, country), and referring websites.
OpenAI offers its paying customers access to its AI models and tools through an Application Programming Interface (API) — a set of defined instructions that enable different applications to communicate with each other. The platform is used mainly by OpenAI’s developer community, who use the paid API access to power their own AI applications.
Mixpanel, on the other hand, is a third-party web analytics provider that OpenAI had been using to analyse product usage and improve services offered through its API product.
Front-end users of ChatGPT and other OpenAI products were not impacted by the data breach, as per the Microsoft-backed startup. It clarified that chat-related data, API requests, API usage data, passwords, credentials, API keys, payment details, and government IDs were not compromised or exposed in the malicious attack.
Story continues below this ad
“Additionally, we have confirmed that session tokens, authentication tokens, and other sensitive parameters for OpenAI services were not impacted,” OpenAI said. However, the total number of API customers affected by the data breach has not been disclosed by OpenAI.
Note, the exposure of personally identifiable information in this manner could pose several risks to OpenAI’s API customers . For instance, threat actors could leverage names, email addresses, and OpenAI API metadata to pull off phishing attacks via social engineering. User credentials that surface from one data breach could also be used by threat actors to attempt to log into user accounts on other platforms. This type of attack is typically known as credential stuffing.
This incident also comes more than a week after the Digital Personal Data Protection (DPDP) Rules, 2025, were notified by the Ministry of Electronics and Information Technology (MeitY), paving the way for India to have a functional data protection law.
While certain provisions of the law are currently in force, other obligations such as the requirement for entities to notify data breaches to users, will all only be operationalised after 18 months.
Story continues below this ad
What is OpenAI doing post-incident?
OpenAI has said it is in the process of notifying impacted organisations, admins, and users directly about the data breach. It has also terminated its use of Mixpanel.
“As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope,” the Sam Altman-led organisation said.
“Beyond Mixpanel, we are conducting additional and expanded security reviews across our vendor ecosystem and are elevating security requirements for all partners and vendors,” it added.
What can OpenAI’s API customers do?
Developers and organisations who have signed up to use OpenAI’s API services will know they have been impacted by the data breach if they receive an email from OpenAI notifying them of the incident.
Story continues below this ad
The AI startup also recommended the following measures for users to safeguard themselves post-incident:
– Treat unexpected emails or messages with caution, especially if they include links or attachments.
– Double-check that any message claiming to be from OpenAI is sent from an official OpenAI domain.
– Further protect your account by enabling multi-factor authentication (MFA). Enterprises and organisations are recommended to enable MFA at the single sign-on layer.
“OpenAI does not request passwords, API keys, or verification codes through email, text, or chat,” it said.
