- An attacker accessed part of Mixpanel’s systems on November 8 and exported customer-identifiable metadata.
- Data leaked included usernames, email addresses, browser locations, operating system, and browser details.
- OpenAI confirmed no prompts, API keys, payment information, or authentication tokens were exposed.
- The breach only affected users accessing OpenAI’s technology via the API, not direct website users.
- OpenAI ended its partnership with Mixpanel after reviewing the incident.
Earlier this month, an unauthorized individual breached part of analytics platform Mixpanel’s systems, exporting customer-identifiable metadata connected to some users of OpenAI’s API, the company confirmed here. The incident occurred on November 8 and involved leakage of account names, email addresses, approximate browser-based locations, operating systems, and browser information. This exposure raises risks of targeted phishing attacks.
OpenAI clarified that sensitive data such as user prompts, API keys, payment details, and authentication tokens were not part of the breach. Only users who accessed OpenAI’s technology through third-party applications using the API were affected. Direct users accessing the ChatGPT chatbot from OpenAI’s own website remain unaffected.
Following the breach, OpenAI took immediate action by removing Mixpanel from its production services and conducted an internal review in collaboration with Mixpanel and other partners to understand the incident’s full scope. “We removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope,” the company stated.
Mixpanel, founded in 2009, is a San Francisco-based product analytics service that tracks user behavior in web and mobile apps. It detected the breach as part of a “smishing” campaign—a phishing attack conducted through SMS messages—and alerted OpenAI the following day. In response, the company secured affected accounts, revoked active sessions, rotated compromised credentials, blocked malicious IP addresses, reset employee passwords, and hired external Cybersecurity firms for a detailed review.
“We are committed to transparency, and are notifying all impacted customers and users,” OpenAI added. “We also hold our partners and vendors accountable for the highest bar for security and privacy of their services.” Despite Mixpanel’s cooperation, OpenAI ended their use of the analytics platform after assessing the breach.
The incident drew criticism from some OpenAI customers concerned about third-party access to their data. One user posted on social media, “Why did they have to pass on my name and email address to Mixpanel?” Another commented, “OpenAI sending names and emails to a third party analytics platform (Mixpanel) feels wildly irresponsible.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- North Korean Hackers Flood npm with 197 Malicious Packages
- Strategy (MSTR) Again Rejected from S&P 500, SanDisk Chosen Instead
- CME Halts Trading 10 Hours Over Data Center Cooling Issue
- Legacy Python Package Vulnerabilities Risk Supply Chain Attacks via Domain Takeover
- BMNR Soars 8% as Firm Buys $44M ETH, Retail Mood ‘Bullish’
