OpenAI has reported a security incident involving Mixpanel, a third-party web analytics service utilized for its API product frontend. This breach, which targeted Mixpanel’s systems rather than OpenAI’s own infrastructure, allowed an attacker to gain unauthorized access to a dataset containing limited identifiable information of some OpenAI API users.
Mixpanel detected the unauthorized intrusion and informed OpenAI of the breach, which affected customer identifiable and analytics data. Fortunately, ChatGPT users and other OpenAI products were not impacted. The core systems of OpenAI remain secure, with no exposure of chat content, API requests, passwords, credentials, API keys, payment details, or government identification.
The data shared with OpenAI by Mixpanel on November 25, 2025, included personal information such as user names, email addresses, approximate locations determined by the user’s browser, as well as details about the operating systems and browsers used to access the API account. Additionally, information regarding referring websites and organization or user IDs associated with the API account was part of the affected dataset.
In response to the breach, OpenAI acted swiftly to mitigate risks by terminating its relationship with Mixpanel. They are proactively notifying all affected users and organizations via email. Although OpenAI found no evidence indicating misuse of the compromised data, they are continuing to monitor the situation closely for any related malicious activities.
To assist impacted users, OpenAI has issued several actionable steps to safeguard their information. Users are advised to exercise extreme caution regarding unexpected communications, verify that messages from OpenAI come from official domains, and protect their credentials diligently. Though OpenAI won’t ask for sensitive information through email, enabling Multi-Factor Authentication (MFA) remains a strong recommendation for enhancing account security.
While OpenAI is not advising users to reset their passwords or update their API keys given that these credentials were not compromised, they encourage users to reach out to their support team for any further concerns.
Overall, OpenAI’s prompt response and commitment to user security underscore its dedication to maintaining the integrity of its services. By elevating security reviews and enforcing stricter requirements for third-party vendors, the company is taking steps to prevent future incidents and ensure a safer environment for all API users.