OpenAI API User Data Exposed in Mixpanel Security Breach

Staff Editor -

OpenAI disclosed a security incident involving Mixpanel, a third-party analytics provider, that resulted in unauthorized access to limited user data associated with its API platform. The breach occurred within Mixpanel's systems on November 9, 2025, when an attacker gained access and exported a dataset containing identifiable information of API account users. OpenAI emphasized that its own systems were not compromised, and no sensitive data such as chat logs, API requests, passwords, API keys, payment details, or government identification documents were exposed.​

Incident Details

Mixpanel detected the intrusion on November 9, 2025, and immediately notified OpenAI about the unauthorized access to a portion of their systems. The analytics provider shared the affected dataset with OpenAI on November 25, 2025, enabling the company to assess the scope and begin notifying impacted users. The exposed information was limited to analytics-level data collected through Mixpanel's tracking on platform.openai.com and included names on API accounts, email addresses, coarse location data based on browser metadata, operating system and browser details, referring websites, and organization or user IDs.​

ChatGPT users and other consumer-facing OpenAI products were not affected by this incident. OpenAI confirmed that session tokens, authentication tokens, and other sensitive parameters for its services remained secure.​

Security Response and Remediation

OpenAI has terminated its use of Mixpanel across all production services and conducted comprehensive reviews of all affected datasets. The company is conducting expanded security audits across its entire vendor ecosystem and elevating security requirements for all third-party partners. Mixpanel CEO Jen Taylor stated that the company activated incident-response processes immediately, engaged external cybersecurity partners, revoked active sessions, rotated compromised credentials, blocked malicious IP addresses, and performed global employee password resets.​

User Impact and Recommendations

While the exposed data does not include highly sensitive information, OpenAI warned that details such as names, email addresses, and user identifiers could be leveraged in phishing or social engineering attacks. The company advised all API users to remain vigilant for suspicious or unsolicited communications and reminded users that it never requests sensitive information such as passwords, API keys, or verification codes via email, text, or chat. OpenAI is directly communicating with all affected organizations, administrators, and individual users through email notifications.