On 9 November 2025, Mixpanel, a third-party web analytics provider used by OpenAI for its API product frontend, suffered a security breach when an attacker gained unauthorised access to part of their systems and exported a dataset containing limited customer identifiable information and analytics data. OpenAI confirmed the incident affected some API users after Mixpanel shared the compromised dataset on 25 November 2025, enabling the company to begin its investigation and notification process. Critically, the breach occurred within Mixpanel's infrastructure rather than OpenAI's own systems.
The exported data included names provided to OpenAI on API accounts, email addresses, coarse approximate location based on browser data, operating system and browser information, and organisation or user IDs associated with API accounts. OpenAI confirmed that chat content, prompts, responses, API usage data, passwords, API keys, payment information, government IDs, and account access credentials were not impacted by the breach. Following its security investigation, OpenAI immediately removed Mixpanel from its production services and terminated its use of the analytics provider after reviewing the affected datasets. The exposed information, particularly names and email addresses, could potentially be leveraged in phishing or social engineering schemes targeting users or their organisations.
OpenAI is conducting expanded security audits across its entire vendor ecosystem and raising security requirements for all third-party partners, stating it will hold external vendors to higher security standards as part of its ongoing response. Whilst this incident did not expose credentials, enabling multi-factor authentication remains a critical security control to protect accounts against unauthorised access. The breach underscores the persistent security risks associated with third-party service providers, even when a company's own infrastructure remains secure.
---
Sources:
1. https://openai.com/index/mixpanel-incident/
2. https://www.dqindia.com/news/openai-api-user-data-exposed-in-mixpanel-security-breach-10816218
3. https://securitybrief.com.au/story/data-breach-at-openai-through-analytics-provider-mixpanel-platform
