Key Highlights

  • A security incident occurred at Mixpanel, affecting limited analytics data related to some OpenAI API users
  • No sensitive information, such as passwords, API keys, or payment details, was compromised
  • OpenAI has terminated its use of Mixpanel and is conducting additional security reviews across its vendor ecosystem

The recent security incident at Mixpanel, a data analytics provider used by OpenAI for web analytics, highlights the importance of vendor risk management in the tech industry. This move reflects broader industry trends, where companies are increasingly relying on third-party providers to enhance their services. However, this also increases the risk of security breaches, as evidenced by the Mixpanel incident.

Incident Overview

On November 9, 2025, Mixpanel discovered an attacker had gained unauthorized access to part of their systems, exporting a dataset containing limited customer identifiable information and analytics data. OpenAI was notified, and upon reviewing the affected dataset, they found that user profile information associated with the use of platform.openai.com may have been included. The information that may have been affected was limited to:

  • Name associated with the API account
  • Email address associated with the API account
  • Approximate coarse location based on API user browser
  • Operating system and browser used to access the API account
  • Referring websites
  • Organization or User IDs associated with the API account

Response and Mitigation

OpenAI’s response to the incident involved removing Mixpanel from their production services, reviewing the affected datasets, and working closely with Mixpanel to understand the incident’s scope. They are also notifying impacted organizations, admins, and users directly. To protect against potential phishing or social engineering attacks, OpenAI encourages users to remain vigilant and verify the authenticity of any messages claiming to be from OpenAI.

Conclusion and Next Steps

The security and privacy of OpenAI’s products are paramount, and the company remains committed to transparency and protecting user information. In light of this incident, OpenAI is conducting additional security reviews across its vendor ecosystem and elevating security requirements for all partners and vendors. Users can take steps to further protect their accounts by enabling multi-factor authentication. For more information and updates on the incident, users can visit the official OpenAI website or contact their support team at [email protected].

Source: Official Link