Mixpanel was the first to become aware of the unauthorized intrusion into a portion of its systems. An attacker successfully exported a dataset containing identifiable customer and analytical information.
Mixpanel subsequently notified OpenAI, which used the provider exclusively for web analytics on the frontend of its API product, platform.openai.com. security incident No impact on ChatGPT users or other OpenAI products. This was not a violation of OpenAI’s core systems; Chat content, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs are not compromised.
Mixpanel shared the affected dataset with OpenAI on November 25, 2025, allowing the company to begin its investigation and notification process.
Affected User Information
Data exported from the Mixpanel environment included limited user profiles and analytical information related to its usage platform.openai.com interface. The affected information is limited to:
-
Name Provided to OpenAI on API account.
-
email address Linked to API account.
-
rough location Based on the user’s browser (city, state, country).
-
Operating System and Browser Used to access the API account.
-
References to websites.
-
Organization or User ID Associated with API account.
OpenAI’s response to the breach
OpenAI moved quickly to address the risk. Following the security investigation, the company immediately removed Mixpanel from its production services.
After reviewing the affected datasets, OpenAI confirmed that it has ended the use of Mixpanel. The company now focuses on notifying all affected organizations, administrators, and individual users directly via email. OpenAI said that although it found no evidence of abuse, it continues to monitor closely for any signs of related malicious activity.
Additionally, the company announced that it is conducting additional, expanded security reviews across its entire vendor ecosystem and enhancing security requirements for all third-party partners.
Actionable steps for affected users
The exposed information, including names, email addresses, and API metadata, could potentially be used in phishing or social engineering schemes targeting users or their organizations.
OpenAI encourages all API users to be alert to suspicious communications:
-
Take precautions: Treat unexpected emails or messages with a high level of suspicion, especially those containing links or file attachments.
-
Verify official domain: Double-check that any communication claiming to be from OpenAI originates from the official company domain.
-
Protect reputation: Remember that OpenAI will never request passwords, API keys, or verification codes via email, text, or chat.
-
Enable Multi-Factor Authentication (MFA): Although this incident did not expose credentials, enabling MFA remains an important security control to protect accounts from unauthorized access. Organizations should enable MFA at the single sign-on layer.
OpenAI is not recommending users reset their passwords or rotate their API keys as the breach did not compromise these elements.
OpenAI has urged users to contact its support team for further concerns.
<a href=