Data breach at OpenAI through analytics provider Mixpanel platform

OpenAI has confirmed a security incident involving third-party analytics provider, Mixpanel, resulting in the exposure of limited user data associated with its API platform. OpenAI said the incident did not impact its own systems or compromise user credentials, payment information or API data.

Event Overview

The incident was related to unauthorized access to datasets within Mixpanel’s systems. OpenAI reported that an attacker exported data containing some identifying information of API account users.

Potentially exposed details include names provided on API accounts, email addresses, approximate location information, operating system and browser details, referring websites, and organization or user IDs associated with API accounts.

OpenAI stressed that no chat logs, API requests, passwords, keys, payment details or sensitive identity documents were accessed. The data breach only affected information collected for analytics purposes through Mixpanel.

security response

OpenAI has ended the use of Mixpanel in its production services and has reviewed all datasets involved in the incident. The company said it has worked with Mixpanel and other partners to assess the scope of the breach and is communicating directly with affected organizations and users.

OpenAI said there is no evidence that the incident affected any systems or information outside the Mixpanel environment. The company nevertheless said it would continue to monitor potential misuse of the affected data.

OpenAI is conducting expanded security audits across its entire vendor ecosystem and raising security requirements for all third-party partners. OpenAI also said it would hold external vendors to higher security standards as part of its ongoing response.

user impact

Information potentially accessed through Mixpanel could put users at increased risk of phishing or social engineering attempts.

The details exposed included names, email addresses and user identifiers. OpenAI advises all customers and users to be alert to any suspicious or unsolicited communications related to this incident. The company reiterated that it does not request sensitive information such as passwords, API keys or verification codes via email, text or chat.

Users are also encouraged to enable multi-factor authentication for their accounts as an additional protective measure.

ongoing transparency

“Trust, security and privacy are fundamental to our products, our organization, and our mission. We are committed to transparency, and notifying all affected customers and users. We also hold our partners and vendors accountable to the highest bar for the security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel,” an OpenAI spokesperson said.