OpenAI Confirms Data Breach—Here’s Who Is Impacted

A breach at analytics supplier Mixpanel earlier this month uncovered account names, electronic mail addresses, and browser places for some customers of OpenAI’s API, the AI large confirmed Wednesday, elevating considerations that cybercriminals might use the stolen metadata in focused phishing makes an attempt.

In line with Mixpanel, on November 8, an unknown attacker gained entry to a part of its programs and exported a dataset containing customer-identifiable metadata and analytics info. The stolen knowledge included usernames, electronic mail addresses, approximate browser-based location, working system, and browser particulars.

OpenAI mentioned the breach didn’t embody customers’ prompts, API keys, fee info, or authentication tokens.

Solely knowledge from customers who accessed OpenAI’s tech through the API—aka, through exterior apps powered by GPT—was leaked, the corporate mentioned. In different phrases, when you entry the ChatGPT chatbot immediately from OpenAI’s web site, then you definitely will not be impacted right here.



“As a part of our safety investigation, we eliminated Mixpanel from our manufacturing companies, reviewed the affected datasets, and are working carefully with Mixpanel and different companions to totally perceive the incident and its scope,” OpenAI mentioned in an announcement.

Based in 2009, the San Francisco-based Mixpanel is a product analytics platform used to trace person conduct throughout net and cell purposes. The corporate mentioned it detected the “smishing” marketing campaign, and after an preliminary investigation and response, alerted OpenAI the subsequent day.

“We’re dedicated to transparency, and are notifying all impacted clients and customers,” OpenAI mentioned. “We additionally maintain our companions and distributors accountable for the best bar for safety and privateness of their companies.”

Smishing is a kind of phishing assault performed by means of SMS messages. In line with an October report by infrastructure administration firm Spacelift, smishing accounted for 39% of all cell threats in 2024.

Mixpanel mentioned it secured affected accounts, revoked lively classes, rotated compromised credentials, and blocked malicious IP addresses. The corporate additionally reset worker passwords, employed exterior cybersecurity companies, and reviewed authentication, session, and export logs.

After the breach, Mixpanel mentioned it started notifying impacted clients in regards to the incident.

“When you have not heard from us immediately, you weren’t impacted,” Mixpanel CEO Jen Taylor mentioned in an announcement. “We proceed to prioritize safety as a core tenet of our firm, merchandise, and companies. We’re dedicated to supporting our clients and speaking transparently about this incident.”

Regardless of Mixpanel’s reporting of the incident to OpenAI, the ChatGPT developer mentioned it was chopping ties with the analytics agency. “After reviewing this incident, OpenAI has terminated its use of Mixpanel,” they wrote.

Some OpenAI clients took to social media to specific frustration with the revelation {that a} third-party service had entry to their info.

“I am not very glad about this. […] Why did they must move on my identify and electronic mail tackle to Mixpanel?” one person wrote on X. “I’m only a hobbyist making an attempt to make small experiments.”

“OpenAI sending names and emails to a 3rd social gathering analytics platform (Mixpanel) feels wildly irresponsible,” one other wrote.

OpenAI and Mixpanel didn’t instantly reply to requests for remark by Decrypt.