Open AI Mixpanel data breach

OpenAI has removed Mixpanel due to a data breach that exposed limited user data including name, email address, and general location for the impacted OpenAI API users. Users of ChatGPT and all other core OpenAI systems were not affected. Passwords and API Keys remain safe with OpenAI. OpenAI will provide additional security features such as enabling multi-factor authentication (MFA) to help protect users and recommend that all users practice safe computing habits by being cautious of any potential phishing attempts.

Mixpanel, which is a third-party web analytics service that OpenAI uses with the API product's web front-end, has confirmed a security incident. An attacker had obtained access to, and downloaded, a database consisting of a small amount of identifiable information about some OpenAI API users. However, this incident occurred through a breach of Mixpanel's system and not through OpenAI's system.

Mixpanel initially became aware of an unauthorised intrusion into part of its systems. The attacker was able to extract a database containing customer identification as well as customer analytical information.

Shortly after this, Mixpanel contacted OpenAI, as OpenAI relied on Mixpanel to supply web analytics for the openai.com front-end of the API product. The Security Incident did not affect ChatGPT users or OpenAI customers using any of its apps. All chat content, API requests, API usage information, user passwords, credentials, API key numbers, payment information, and Government Issued Identification numbers are all unaffected. OpenAI's back-end systems remain uncompromised.

On November 25, 2025, Mixpanel sent the evidence and dataset to OpenAI which allowed OpenAI to begin its own investigation and notification process.

Information about affected users

Mixpanel's exported data featured limited user profile information and analytics related to the use of the platform openai.com . Affected User data consisted of:

• OpenAI's API account name.
• Email associated with the API Account.
• Approximate geolocation via a user's browser (city/state and country).
• Operating System and Browser used to access the API Account.
• Referrer Websites.
• Organization/User ID associated with the API Account.

OpenAI's Response to the Breach

OpenAI has acted quickly to remedy the breach. OpenAI has immediately removed Mixpanel from production services as the result of completing an internal investigation into the incident.

Upon examining the compromised datasets, OpenAI has confirmed that it is ceasing to use Mixpanel. The company will notify all organisations that have been affected by this incident as well as the individuals who had their information exposed directly via email. OpenAI has not found any indication of misuse of the exposed data, but the company is continuing to monitor for signs of malicious activity.

The company has also announced that it will be performing an extensive and/or enhanced security review of its entire vendor ecosystem, along with increasing security requirements for all third party vendors.

Actionable Steps for Users who have been affected

The exposed data potentially exposes affected users to Phishing and Social Engineering attacks by third parties targeting affected users and or their organizations. 

OpenAI recommends that all API users continue to monitor their inbox’s for suspicious requests for sensitive information from third parties:

• Be Cautious: Always be suspicious of any unexpected communication(email or otherwise) that contains links or attachments.
• Confirm Official Domains: Always verify that any communication from OpenAI is coming from the correct OpenAI domain.
• Do Not Give Out Login Credentials: OpenAI will NEVER ask for your password, API key, or any verification codes via email, text message, or chat.
• Use MFA: Although this incident did NOT expose any login credentials, enabling multi-factor authentication is a fundamental control for securing your account from anyone accessing it without authorization. Organizations should enable MFA for all single-sign-on systems. 

OpenAI is NOT recommending to affected users that they need to change their passwords or rotate their API keys, as this breach did NOT compromise any of that information.  

If you have any additional questions or concerns after reviewing the content of this communication, please contact OpenAI Support.