OpenAI has confirmed a security incident involving Mixpanel, a third-party analytics provider used for its API product frontend. The company clarified that the OpenAI Mixpanel security incident stemmed solely from a breach within Mixpanel’s systems and did not involve OpenAI’s infrastructure.
According to the initial investigation, an attacker gained unauthorized access to a portion of Mixpanel’s environment and exported a dataset that included limited identifiable information of some OpenAI API users.
OpenAI stated that users of ChatGPT and other consumer-facing products were not impacted.
OpenAI Mixpanel Security Incident: What Happened
The OpenAI Mixpanel security incident originated on November 9, 2025, when Mixpanel detected an intrusion into a section of its systems. The attacker successfully exported a dataset containing identifiable customer information and analytics data. Mixpanel notified OpenAI on the same day and shared the affected dataset for review on November 25.
OpenAI emphasized that despite the breach, no OpenAI systems were compromised, and sensitive information such as chat content, API requests, prompts, outputs, API keys, passwords, payment details, government IDs, or authentication tokens were not exposed.
The exposed dataset was strictly limited to analytics data collected through Mixpanel’s tracking setup on platform.openai.com, the frontend interface for OpenAI’s API product.
Information Potentially Exposed in the Mixpanel Data Breach
OpenAI confirmed that the type of information potentially included in the dataset comprised:
- Names provided on API accounts
- Email addresses associated with API accounts
- Coarse location data (city, state, country) based on browser metadata
- Operating system and browser information
- Referring websites
- Organization or User IDs linked to API accounts
OpenAI noted that the affected information does not include chat content, prompts, responses, or API usage data. Additionally, ChatGPT accounts, passwords, API keys, financial details, and government IDs were not involved in the incident.
OpenAI’s Response and Security Measures
In response to the Mixpanel security incident, OpenAI immediately removed Mixpanel from all production services and began reviewing the affected datasets. The company is actively notifying impacted organizations, admins, and users through direct communication.
OpenAI stated that it has not found any indication of impact beyond Mixpanel’s systems but continues to closely monitor for signs of misuse.
To reinforce user trust and strengthen data protection, OpenAI has:
- Terminated its use of Mixpanel
- Begun conducting enhanced security reviews across all third-party vendors
- Increased security requirements for partners and service providers
- Initiated a broader review of its vendor ecosystem
OpenAI reiterated that trust, security, and privacy remain central to its mission and that transparency is a priority when addressing incidents involving user data.
Phishing and Social Engineering Risks for Impacted Users
While the exposed information does not include highly sensitive data, OpenAI warned that the affected details, such as names, email addresses, and user IDs, could be leveraged in phishing or social engineering attacks.
The company urged users to remain cautious and watch for suspicious messages, especially those containing links or attachments. Users are encouraged to:
- Verify messages claiming to be from OpenAI
- Be wary of unsolicited communication
- Enable multi-factor authentication (MFA) on their accounts
- Avoid sharing passwords, API keys, or verification codes
OpenAI stressed that the company never requests sensitive credentials through email, text, or chat.
OpenAI confirmed it will provide further updates if new information emerges from ongoing investigations. Impacted users can reach out at [email protected] for support or clarification.
