OpenAI API's analytics provider faces data breach: Check if you're affected

OpenAI has confirmed a security incident at Mixpanel that exposed limited analytics data linked to OpenAI API users, while stressing that ChatGPT and other consumer products were not affected

OpenAI has disclosed a data breach incident at Mixpanel, a third-party analytics provider the company previously used for web analytics on the frontend interface for its API product. As per the Sam Altman-led company, the breach did not affect ChatGPT users or any other OpenAI consumer products, and there was no compromise of OpenAI’s own systems.

 

According to OpenAI, an attacker gained unauthorised access to a portion of Mixpanel’s infrastructure and exported a dataset containing limited identifiable information related specifically to API customers. Mixpanel informed OpenAI of the intrusion on November 9, 2025, and shared the affected dataset with the company on November 25.

 

What data was exposed

The incident was confined to Mixpanel’s systems and involved analytics data linked to some API accounts. Information potentially included:

• API account name
• Email address associated with the API account
• Approximate coarse location (city, state, country) inferred from the browser
• Operating system and browser details
• Referring websites
• Organisation or user IDs associated with the API account

OpenAI emphasised that no chats, prompts, API requests, API usage data, passwords, tokens, API keys, payment details or government IDs were exposed.

Response and containment

OpenAI says it has removed Mixpanel from all production services, reviewed the shared dataset and is working with the analytics provider to assess the scope of the intrusion. The company is directly notifying affected organisations, admins and individual API users.

 

OpenAI noted that all evidence so far indicates the breach was fully contained within Mixpanel’s environment, with no impact on OpenAI infrastructure or other services, including ChatGPT.

Advice for affected API users

The type of data exposed could be used for phishing or social engineering attempts. OpenAI recommends users remain vigilant, especially if they receive unexpected emails or messages referencing API accounts.

 

Key steps advised:

• Treat unexpected messages, links and attachments with caution.
• Verify that communications claiming to be from OpenAI originate from official domains.
• Remember that OpenAI never asks for passwords, API keys or verification codes.
• Enable multi-factor authentication for additional protection.

OpenAI confirmed that password changes or API key rotations are not required, as these were not affected.