OpenAI is informing some ChatGPT API customers that a third-party data breach at its analytics provider, Mixpanel, exposed limited identifying information.

Mixpanel provides event analytics that OpenAI uses to monitor user interactions on the API’s frontend interface.

According to OpenAI, the incident affected “limited analytics data related to some users of the API” and did not impact users of ChatGPT or any other OpenAI products. The company emphasized that no chat logs, API requests, API usage data, passwords, credentials, API keys, payment information, or government IDs were compromised.

Mixpanel said the breach stemmed from an SMS phishing (smishing) attack detected on November 8, which affected a “limited number” of its customers. OpenAI received details about the impacted data on November 25 as part of Mixpanel’s ongoing investigation.

Exposed Data May Include:

  • Name on the API account
  • Email address associated with the account
  • Approximate coarse location (city, state, country)
  • Operating system and browser used
  • Referring websites
  • Organization or user IDs linked to the API account

OpenAI stressed that the exposed information does not require users to reset passwords or regenerate API keys.

Some users have also reported impacts on other companies using Mixpanel, including CoinTracker, where leaked data reportedly included device metadata and limited transaction counts.

OpenAI has launched its own investigation and removed Mixpanel from production environments as a precaution. The company is directly notifying all affected organizations, administrators, and users, and has informed all subscribers for transparency, even if they were not impacted.

READ
North Korean Hackers Target Developers With 100+ Malicious npm, Go, and Chrome Packages

OpenAI warned that the leaked data could be misused for phishing or social-engineering attacks. Users are advised to:

  • Verify all messages claiming to be from OpenAI
  • Check links and attachments to ensure they originate from official OpenAI domains
  • Enable two-factor authentication (2FA)
  • Never share passwords, API keys, or verification codes via email, SMS, or chat

Mixpanel CEO Jen Taylor confirmed that all impacted customers have been directly contacted, adding: “If you have not heard from us, you were not impacted.”


Buy ExpressVPN with PayPal or Credit Card

In response to the breach, Mixpanel secured accounts, revoked active sessions, rotated credentials, blocked the attacker’s IP addresses, reset all employee passwords, and implemented new security safeguards.

Advertisement