A security incident at Mixpanel, a third-party analytics provider used by OpenAI, led to the exposure of user metadata from OpenAI's API platform.
While no sensitive data or systems were compromised, the breach affected identifiable information from some API users.
OpenAI uses Mixpanel for frontend web analytics on its API platform (platform.openai.com). The service provides insights into user behavior and product performance through event tracking and user identification, but does not store private communications or API payloads.
According to OpenAI's disclosure, the incident came to light when Mixpanel notified the company that an unauthorized actor had accessed their systems and exported a dataset containing analytics data on November 9, 2025. After completing their investigation, Mixpanel shared the affected data with OpenAI on November 25.
The compromised data included names and email addresses associated with OpenAI API accounts, as well as metadata like user IDs, browser and OS details, referring websites, and coarse geolocation based on browser data (city, state, country). Importantly, no chat data, API keys, credentials, payment information, or government-issued IDs were included in the breach. ChatGPT users and other OpenAI products were not affected.
Mixpanel, based in San Francisco, is a popular analytics platform widely used by tech firms to optimize product usage and customer engagement. In a public statement earlier today, Mixpanel CEO Jen Taylor revealed that the incident began with a “smishing” (SMS phishing) campaign on November 8, leading to unauthorized access. The company activated its incident response process immediately, which included revoking active sessions, rotating credentials, blocking malicious IP addresses, and performing forensic analysis with third-party experts. Affected customers were contacted directly; those who did not receive communication are reportedly not impacted.
In response, OpenAI has removed Mixpanel from all production environments and terminated its use of the analytics provider. The company is reviewing the exposed data, monitoring for misuse, and notifying all impacted organizations and users directly. OpenAI emphasized that this was not a breach of its own systems and that all access tokens, API keys, and authentication credentials remain secure.
As a precaution, OpenAI is conducting a broader review of its entire vendor ecosystem and plans to raise the security bar for all partners. The company reiterated its commitment to privacy and transparency and is urging affected users to be alert for phishing or social engineering attempts that may exploit the leaked information.
Leave a Reply