On 9 November 2025, Mixpanel — a third-party analytics provider that OpenAI used for web-analytics on its API frontend (platform.openai.com) — detected that an attacker had gained unauthorized access to part of its internal systems and exported a dataset containing limited customer-identifiable and analytics data.
Mixpanel informed OpenAI and, on 25 November 2025, shared the dataset of potentially affected data.
OpenAI clarified that this was not a breach of their infrastructure — no chat logs, API requests or usage data, passwords, API keys, payment information, or identification documents were compromised.
Data that may have been exposed
According to OpenAI, the information potentially included in the exported dataset from Mixpanel may have contained:
- The name entered on the API account.
- The email address associated with the API account.
- Approximate coarse location (city, state, country) inferred from browser data.
- Operating system and browser information used to access the API account.
- Referring websites.
- Organization or user IDs associated with the API account.
OpenAI emphasized this data stems solely from analytics metadata; no core user data or sensitive content was touched.
OpenAI’s response
- OpenAI has immediately removed Mixpanel from its production systems.
- The company reviewed all impacted datasets and is working with Mixpanel and other partners to investigate the full scope of the incident.
- OpenAI is notifying all potentially impacted organizations, administrators, and individual users directly.
- The company stated there is currently no evidence of any misuse beyond Mixpanel’s environment.
- Additionally, OpenAI has initiated expanded security reviews across its entire third-party vendor ecosystem — raising security expectations and accountability for all partners.
What it means for you
If you used the OpenAI API via platform.openai.com, your account details — such as name, email, coarse location, and other non-sensitive metadata — may have been included in the compromised dataset.
While no sensitive credentials or usage data were exposed, the nature of the leaked information means it could potentially be used in phishing or social-engineering attempts. OpenAI recommends:
- Exercising caution with unexpected email or message requests, especially those that include links or attachments.
- Verifying that any communication claiming to be from OpenAI originates from an official OpenAI domain.
- Refraining from sharing passwords, API keys, or verification codes via unsolicited channels.
- Enabling multi-factor authentication (MFA) wherever available.
To date, OpenAI has not recommended password resets or API-key rotations — since those were not compromised.
Broader context & significance
This incident highlights the risk of third-party vendor dependencies — even if a company’s core infrastructure remains uncompromised, analytics providers or other external services may still pose data-exposure risks if their security is breached.
OpenAI’s swift removal of Mixpanel and expanded vendor scrutiny suggests the company is prioritizing privacy and data protection — but the episode underscores a wider challenge in modern SaaS and cloud-native ecosystems, where data flows across multiple external services and supply-chain trust must be managed diligently.
Users of API-based services — particularly those dealing with sensitive or business-critical data — should remain aware of such dependencies and employ robust security hygiene (MFA, careful email practices, vendor auditing) even when direct systems appear secure.
What to watch for
- Whether any further leaks or misuse of the exported data emerge.
- Whether regulatory bodies respond to the incident (given user-identifiable data was involved).
- How other companies reliant on third-party analytics react — possibly re-evaluating vendor risk and data-sharing practices.
- Whether OpenAI publishes further audits or updates about changes in its vendor-management and security posture.
