OpenAI Warns Some API Users After Mixpanel Analytics Breach

OpenAI says that a recent security incident at Mixpanel exposed limited user data belonging to some of its API customers. Mixpanel — a third-party analytics service that OpenAI used — suffered a breach that was detected on November 8, 2025. Attackers accessed part of Mixpanel’s systems and exported a dataset with certain user and analytics information. In response, Mixpanel secured accounts, revoked sessions, changed credentials, blocked malicious IPs, and launched an investigation. OpenAI has since cut ties with Mixpanel and removed it from its production services.

The exposed data was not highly sensitive, but still potentially useful for malicious actors. It may include API-account related info such as names, email addresses, approximate location (city/state/country based on browser data), operating system and browser, referring website, and user or organization IDs associated with the API account.

Importantly, OpenAI clarified that no core systems were breached. Sensitive data — including passwords, payment information, API keys, account credentials, government IDs, or the content of ChatGPT or API chats — remain safe. The breach did not affect general ChatGPT users.

Still, because exposed data includes personal identifiers and account metadata, there is a real risk of phishing or social-engineering attacks targeting affected users. OpenAI is alerting impacted customers and urging caution: any unexpected emails or messages should be treated carefully, and users are advised to enable multi-factor authentication and verify that communications come from official domains.

As part of its response, OpenAI conducted a full review of vendor relationships, removed Mixpanel from its services, and committed to more rigorous privacy and security checks for all third-party vendors