OpenAI Confirms Data Breach Through Third-Party Analytics Provider Mixpanel

OpenAI Data Breach Confirmed, But It's Unlikely to Impact You

OpenAI is the latest company to be involved in a data breach where customer information may have been compromised. If you use ChatGPT for personal use, it's unlikely your information has been stolen. In emails to customers and a blog post on its website, OpenAI explains that an incident with a data analytics provider called Mixpanel saw the potential of some customer data being stolen by an attacker. It only impacts those who have accounts to access the brand's API interfaces. Those with accounts for the API platform may have had details stolen, including their name, email address, approximate location, operating system, and the browser they use to access the website. It also included information for "referring websites" and "organization or User IDs associated with the API account." OpenAI says there was no other information was taken. Mixpanel first learned of the attacker gaining access to its systems on Nov. 9, 2025, and shared a dataset with OpenAI on Nov. 25. OpenAI then began telling customers a day later. The brand says those with API accounts should be even more cautious with their information moving forward as it may mean they're prone to receiving phishing messages. It says to look out for rogue emails, and reaffirms that OpenAI won't ever ask for your password, API keys or other verification codes on email or chat. OpenAI says, "Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users." The brand said it has stopped working with Mixpanel in its services. It says it will also be "conducting additional and expanded security reviews across our vendor ecosystem and are elevating security requirements for all partners and vendors." If you were impacted by this incident, be sure to read PCMag's guide on what to do after a data breach. Disclosure: Ziff Davis, PCMag's parent company, filed a lawsuit against OpenAI in April 2025, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.

OpenAI confirms ChatGPT data breach. Here is everything we know

OpenAI has confirmed a security breach involving a third-party analytics provider, Mixpanel. ChatGPT maker OpenAI has confirmed a security incident, which it says is not its fault. The data breach involves a third-party analytics provider, Mixpanel, which resulted in the exposure of limited user data associated with its API platform. "This was not a breach of OpenAI's systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed," the company said in an email notifying users on Thursday. Mixpanel reportedly became aware of an attacker on November 9, OpenAI said. The threat actor gained unauthorised access to part of its systems and exported a dataset which had limited customer-identifiable information and analytics data. OpenAI said the information that may have been affected was limited to names, email addresses, and user identifiers. OpenAI said that it had terminated its use of Mixpanel and reaffirmed that the breach wasn't caused by any vulnerabilities in OpenAI's systems. The company said it would investigate the breach and urged users to be additionally vigilant of phishing-type attacks and social engineering scams that might attempt to leverage the stolen data. Users have been encouraged to enable multi-factor authentication as an additional protective measure for their accounts. While OpenAI said no conversations with ChatGPT were exposed, the incident is a reminder of how much personal data OpenAI has access to as people bear their souls to chatbots. OpenAI said that it plans to enforce stricter security requirements for all external partners. While OpenAI's use of Mixpanel analytics is standard practice, it tracked data like email addresses and location that wasn't necessary for product improvement, potentially violating GDPR's data minimisation principle, said Moshe Siman Tov Bustan, a security research team lead at OX Security, an AI security company. "Companies - from tech giants like OpenAI to one-person startups - should always aim to over-protect and anonymise customer data sent to third parties in order to avoid that type of information being stolen or breached," he told Euronews Next. "Even when using legitimate, vetted vendors, every piece of identifiable data sent externally creates another potential exposure point".

OpenAI Confirms User Data Exposed After Mixpanel Security Breach

The AI giant has removed Mixpanel from its production services OpenAI's user data was exposed in a recent Mixpanel data breach, the company stated on Thursday. The San Francisco-based artificial intelligence (AI) giant revealed that while most of its sensitive user data, and the data of the end-users accessing ChatGPT, Sora app, and the ChatGPT Atlas browser was not exposed in this breach, some information about its application programming interface (API) users might have been leaked. The company has now started a security investigation, and OpenAI has stopped using Mixpanel services. OpenAI's API Data Might Have Been Breached In a newsroom post, the AI giant detailed the data breach incident that occurred on November 9. Mixpanel's systems were hacked into by an attacker and the threat actor was able to export a dataset that also included information about OpenAI's users. However, the ChatGPT maker said that the breached dataset contained limited customer identifiable information and analytics information. Mixpanel shared the affected dataset with the AI company on November 25, stating that they were investigating the incident. OpenAI also highlighted that its servers and products were not impacted in this data breach, and sensitive data, such as that, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs, were not compromised. Detailing the impact OpenAI's API users should expect, the company said that user profile information associated with the use of "platform.openai.com" might have been included in the exported data. The particulars of the breach could include: * Name that was provided to OpenAI on the API account * Email address associated with the API account * Approximate coarse location based on API user browser (city, state, country) * Operating system and browser used to access the API account * Referring websites * Organisation or User IDs associated with the API account As a response, the ChatGPT maker has removed Mixpanel from its production services. It has also reviewed the affected datasets and is working with the digital analytics company and other partners to understand the full scope of the breach. "While we have found no evidence of any effect on systems or data outside Mixpanel's environment, we continue to monitor closely for any signs of misuse," the company said. As a preventive measure, the AI giant has requested all potentially impacted users to remain alert towards "credible-looking phishing attempts or spam."

OpenAI confirms millions affected in Mixpanel-linked data leak: Here's what it means

Users are urged to watch for phishing attempts and secure their accounts with MFA and updated passwords. Millions of user records connected to OpenAI's API services were exposed after attackers compromised the systems of Mixpanel, a third-party analytics provider. According to reports shared with impacted users of OpenAI, the leaked data included user names, email addresses, and organisational metadata associated with API usage. Cybersecurity specialists warn that such seemingly harmless information can still be misused. Attackers frequently leverage names and email addresses to craft convincing phishing messages designed to trick users into revealing credentials or clicking malicious links. Because of this, even a breach involving non-sensitive records can carry long-term risks. OpenAI in its official statement clarified that the OpenAI servers were not compromised. They further said that the breach occurred entirely inside Mixpanel's infrastructure, which stored limited analytics data tied to certain API accounts. OpenAI emphasised that regular ChatGPT users were unaffected and that no chats, API requests, credentials, government IDs, passwords or payment details were exposed at any point. Also read: Scammers are using Google's Nano Banana AI to forge PAN cards, create fake images: Here's how you can spot them Mixpanel found the unauthorised access on 9 November 2025. On 25 November 2025, the company shared the affected data with OpenAI so that OpenAI could start checking what went wrong. As soon as OpenAI came to know about the issue, it immediately removed Mixpanel from all its live systems to stop any further data leak. After that, OpenAI carefully reviewed all the impacted records and started informing every affected user and organisation around the world. Along with fixing the issue, OpenAI also announced new steps to make security stronger for all its third-party partners. This shows that the company will now be more careful as it continues to grow and launch new tools that depend on outside services. Also read: Black Friday sale 2025: Best deals on iPhone 17 Pro Max, iPhone 17, iPhone 16 and iPhone Air on Flipkart, Amazon and more While the breach did not reveal sensitive items such as passwords, payment information or ChatGPT conversations, the exposure of basic account details still has sparked widespread worry across the global developer community, including in countries like India. OpenAI has urged all users, whether or not they believe their information was involved, to stay alert for potential phishing attempts. With names and email addresses included in the leak, attackers may impersonate OpenAI or related services by sending messages that appear legitimate. Users should be wary of unexpected links, attachments, or requests for personal information. OpenAI reminds everyone that it never asks for passwords, API keys, verification codes or other sensitive details via email or text. Any message that makes such a request should be treated as suspicious. Verifying that emails come from official OpenAI domains offers an additional layer of protection. Also read: Apple may soon overtake Samsung to become world's best smartphone maker: Report To reduce risk further, users are encouraged to enable multi-factor authentication (MFA) on all accounts linked to the exposed email address. Reviewing other services that use the same credentials, updating passwords where necessary, and monitoring for unusual activity can help limit potential damage.