Jun 03, 2026
Nov 27, 2025
3 Mins Read
OpenAI Notifies Users of Mixpanel Security Incident
A recent security incident involving Mixpanel, a third-party analytics provider that OpenAI used to track frontend web interactions on its API platform, has raised important questions. On November 26, 2025, OpenAI publicly disclosed that limited analytics data from its API platform interface was accessed due to a breach in their third-party’s systems.
The company is notifying affected users by email, outlining what was accessed and providing recommended precautions.
OpenAI’s email notification about the Mixpanel breach
In this blog post, we unpack the key details: what exactly happened, who may be affected, and how users can stay safe going forward.
What Exactly Happened at Mixpanel?
The company detected unauthorized access to a segment of its infrastructure on November 9, 2025. The attacker exported a dataset containing user-identifiable analytics data tied to API accounts from OpenAI’s web interface at platform.openai[.]com.
This incident was confined to Mixpanel’s environment and was not the result of any vulnerability in OpenAI’s systems.
After investigating the breach, Mixpanel informed OpenAI and shared the impacted dataset on November 25. OpenAI has since acted promptly to assess the scope and implications of the incident.
Was OpenAI API, Platform, or ChatGPT Compromised?
No. According to OpenAI’s disclosure, this incident did not involve any breach of their own systems. Sensitive information such as API keys, chat logs, passwords, API usage data, or payment details were not exposed. The breach was limited solely to Mixpanel’s analytics platform used to track user interactions on the API interface.
Products like ChatGPT and other OpenAI services were entirely unaffected by the incident.
What User Information Was Exposed?
The data accessed by the attacker included analytics-level user information, not credentials or sensitive operational data. OpenAI has listed the potentially exposed information as:
- Name provided with the API account
- Associated email address
- Approximate browser-based location (city, state, country)
- Operating system and browser used
- Referring websites
- Organization or User IDs tied to the API account
This type of metadata could be used in phishing or social engineering attacks, but alone it does not grant access to any services.
How Has OpenAI Responded?
Immediately upon confirmation of the incident, OpenAI removed Mixpanel from all production environments. It is no longer in use across their systems. The company is also conducting a broader audit of its third-party vendors and tightening security standards for all analytics partners.
Furthermore, OpenAI is directly notifying impacted users and organizations by email. They have also published a detailed incident summary outlining their investigation, findings, and next steps.
What Should Users Do Now?
Although no passwords or API keys were exposed, users should stay alert.
- Be cautious of emails or messages that appear to come from OpenAI, especially those asking for login credentials or API access.
- Verify the sender’s domain before responding to any communication.
- Enable Multi-Factor Authentication (MFA) for additional protection.
- Report any suspicious activity to [email protected].
No password resets or key rotations are currently necessary unless prompted by unusual account activity.
SOCRadar’s Supply Chain Intelligence, Third-Party Companies
To help organizations proactively monitor and manage third-party risks like these, tools such as SOCRadar’s Supply Chain Intelligence can provide continuous visibility and threat detection across your vendor ecosystem.
Table Of Content
Related Articles
