OpenAI API users' data exposed in Mixpanel breach
What's the story
OpenAI has confirmed that some of its API customers may have had their personal information compromised in a data breach. The incident occurred when an attacker gained unauthorized access to the systems of Mixpanel, a third-party web analytics provider used by OpenAI. The hacker exported a dataset with limited customer identifiable information and analytics information, according to OpenAI's blog post.
Breach details
Mixpanel breach and its impact on OpenAI
The data breach at Mixpanel happened on November 9, 2025. The company notified OpenAI about the incident and shared the affected dataset with them on November 25. While OpenAI's systems weren't compromised in this attack, user account information from its API platform was stolen by hackers. This included usernames, email addresses, operating system and browser details as well as organization or user IDs associated with API accounts.
Platform usage
OpenAI's API platform and Mixpanel's role
OpenAI provides its paying customers access to its AI models and tools through an Application Programming Interface (API). The platform is mainly used by OpenAI's developer community to power their own AI applications. Mixpanel, on the other hand, was being used by OpenAI to analyze product usage and improve services offered through its API product.
User safety
No impact on front-end users of OpenAI products
The data breach didn't affect front-end users of ChatGPT and other OpenAI products. The company clarified that chat-related data, API requests, passwords, credentials, payment details were not compromised in the attack. However, it hasn't disclosed how many API customers were affected by this data breach.
Post-incident actions
OpenAI's response and future security measures
In the wake of the incident, OpenAI is notifying impacted organizations, admins, and users directly about the data breach. The company has also terminated its use of Mixpanel. "As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets," said an OpenAI representative. They added that they are working closely with Mixpanel and other partners to fully understand the incident and its scope.
Customer guidance
OpenAI advises API customers on post-incident safety measures
OpenAI has advised developers and organizations using its API services to look out for an email from them notifying about the incident. The company also recommended treating unexpected emails or messages with caution, checking that any message claiming to be from OpenAI is sent from an official domain, and enabling multi-factor authentication (MFA) for further account protection. "OpenAI does not request passwords, API keys, or verification codes through email," it said.