OpenAI has alerted customers to a security incident involving Mixpanel, a third-party analytics provider the artificial intelligence company previously used to track web analytics on its API platform interface. The breach occurred within Mixpanel’s systems and exposed only limited analytics-level data linked to API accounts, OpenAI said in an email to users on November 27.
“Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com),” the email said.
OpenAI said the issue stemmed from an intrusion into Mixpanel’s systems. “This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed,” the ChatGPT maker said.
Mixpanel detected the attack on November 9. “On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us," it said.
Moneycontrol has sent quereis to OpenAI and the story will be updated when a response comes in.
User profile information associated with the use of platform.openai.com may have been included in data exported from Mixpanel, OpenAI said. The information that may have been affected includes:
- Name that was provided to us on the API account
- Email address associated with the API account
- Approximate coarse location based on API user browser (city, state, country)
- Operating system and browser used to access the API account
- Referring websites
- Organisation or User IDs associated with the API account
OpenAI said it responded immediately. “As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope.”
The company said it has “found no evidence of any effect on systems or data outside Mixpanel’s environment” but will continue monitoring for potential misuse.
Following the review, OpenAI said it has “terminated its use of Mixpanel” and initiated broader vendor-security audits.
In its blog post, the company said ChatGPT accounts were not affected and users of the chatbot or any other OpenAI products were not impacted. The company said session tokens, authentication tokens and other sensitive parameters for OpenAI services were also not impacted.
Mixpanel CEO Jen Taylor said the company detected a smishing campaign and immediately activated its incident-response processes.
"We took comprehensive steps to contain and eradicate unauthorised access and secure impacted user accounts. We engaged external cybersecurity partners to remediate and respond to the incident," Taylor said in a blog post.
Mixpanel brought in external cybersecurity partners, revoked active sessions, rotated compromised credentials, blocked malicious IP addresses, registered indicators of compromise, conducted global employee password resets, and performed forensic reviews of authentication, session and export logs, she said.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
