OpenAI has confirmed that a recent security incident involving its third-party data analytics provider, Mixpanel, has resulted in the exposure of limited user profile and analytics data belonging to users of its API product frontend (platform.openai.com).
OpenAI has noticed that the breach was contained entirely within Mixpanel’s systems and did not compromise any of its own core infrastructure, sensitive user data, or AI models. The company has since terminated its use of Mixpanel.
Scope and Impact Summary
Data Secured (NOT Compromised)
The integrity of the core OpenAI platform remains intact. No evidence suggests the attacker accessed the most critical data:
- API Keys or Credentials
- Passwords
- Chat Content, Prompts, or API Usage Data
- Payment Information or Government IDs
Data Exposed (Low-Risk Metadata)
The exported dataset contained user profile information associated with the use of the platform.openai.com interface,
limited to:
- Name and Email address associated with the API account
- Approximate Coarse Location (city, state, country)
- Operating System and Browser used to access the account
- Referring Websites and Organization/User IDs
OpenAI’s Response
- Containment & Notification: The incident was initially discovered by Mixpanel on November 9, 2025, and reported to OpenAI on November 25, 2025. As a primary security measure, OpenAI has entirely removed Mixpanel from its production environment.
- Security Review: OpenAI is conducting an expanded security review across its entire third-party vendor ecosystem and has begun directly notifying all organizations and users whose data was involved.
- User Advisory: The combination of names and emails increases the risk of highly targeted phishing attempts. Users are urged to remain vigilant, treating unexpected links or attachments with extreme caution, and to verify all communications claiming to be from OpenAI.
Frequently Asked Questions (FAQ)
Q: Was this caused by a vulnerability in OpenAI’s own systems?
A: No. This incident was limited to Mixpanel’s systems and did not involve unauthorized access to OpenAI’s infrastructure, core models, or API services.
Q: Were ChatGPT accounts or non-API users affected?
A: No. Users of ChatGPT, ChatGPT Enterprise, or other non-API products were not impacted. The breach was confined to the frontend analytics data for platform.openai.com.
Q: Do I need to reset my password or rotate my API keys?
A: No, it is not mandatory. Because passwords and API keys were not exposed, immediate rotation is not required for security. However, as a best practice, enabling Multi-Factor Authentication (MFA) is highly recommended to protect your account from all forms of compromise.
Q: Why did OpenAI use Mixpanel?
A: Mixpanel was used as a third-party web analytics provider to help OpenAI understand product usage patterns and improve its services for the API product.
Q: How do I know if my organization or I were impacted?
A: OpenAI is in the process of notifying all directly impacted users or their organization administrators via email. If you have not received a direct notification, your data was likely not involved.
