OpenAI, in an official statement, announced that a security incident at third-party analytics provider Mixpanel resulted in the exposure of limited personal information belonging to some users of its API platform. The company said its own systems were not breached and that users of ChatGPT and other consumer-facing services were not affected.
The ChatGPT-maker revealed that an attacker obtained unauthorized access to a portion of Mixpanel’s infrastructure on November 9 and exported a dataset that included analytics information and account identifiers for certain API customers. And earlier this week, Mixpanel notified OpenAI after conducting its own investigation. The compromised dataset included names and email addresses tied to API accounts, approximate location derived from users’ browsers, device and browser details, referring websites, and organization or user IDs, according to OpenAI. The company added that some profile information associated with the platform.openai.com interface may also have been included.
If you’re a ChatGPT user, there is no need to panic. OpenAI, in its official statement, that no chat logs, prompts, model responses, API usage data, payment information, passwords, API keys, government IDs, or account-access credentials were part of the leaked dataset. “We have found no evidence of any effect on systems or data outside Mixpanel’s environment,” the company said.
“Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel’s systems and involved limited analytics data related to some users of the API. Users of ChatGPT and other products were not impacted. This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed,” read OpenAI’s statement on the matter.
For now, the San Francisco-based AI firm has responded by removing Mixpanel from its production systems, reviewing the affected data, and is currently working with the analytics provider and other partners to determine the full scope of the breach. The company is, in addition to this, notifying impacted organizations, administrators, and individual users directly. OpenAI also warned that the exposed information could be used in phishing or social-engineering campaigns aimed at developers, and advised API users to treat unsolicited emails or messages with caution. Security researchers say that even low-sensitivity data, when combined with technical metadata, can be used to craft targeted attacks.
Mixpanel, which has more than 11,000 corporate customers, said separately that the breach stemmed from a “smishing” attack—an SMS-based social-engineering technique—detected on November 8. The company has contacted law enforcement and is alerting affected clients. “On November 8th, 2025, Mixpanel detected a smishing campaign and promptly executed our incident response processes. We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts. We engaged external cybersecurity partners to remediate and respond to the incident. We proactively communicated with all impacted customers. If you have not heard from us directly, you were not impacted. We continue to prioritize security as a core tenant of our company, products and services. We are committed to supporting our customers and communicating transparently about this incident,” Mispanel wrote in its official statement.
The Tech Portal is published by Blue Box Media Private Limited. Our investors have no influence over our reporting. Read our full Ownership and Funding Disclosure →
