ChatGPT security breach: OpenAI confirms Mixpanel lapse exposed user names and emails

chatgpt

OpenAI has confirmed that a security incident at its analytics partner Mixpanel exposed limited personal data belonging to some of its API product users. The company said the breach did not compromise any of its internal systems or ChatGPT user accounts and was restricted to Mixpanel’s environment, where an attacker gained unauthorised access earlier this month.

OpenAI received the impacted dataset from Mixpanel on November 25 and found that the exposed information consisted only of non-sensitive profile data. The company said that details such as passwords, payment information, chat logs and API keys remained unaffected.

According to OpenAI, the compromised dataset included profile-level details linked to API accounts. This information may have included:

• Names added to the API account

• Email addresses associated with the account

• Approximate location such as city, state or country

• Operating system and browser information

• Referring websites

• Organisation or user IDs used for analytics

OpenAI emphasised that no sensitive or authentication-related data was part of the breach.

Following the incident, OpenAI said it has fully removed Mixpanel from its production systems. The company noted that it is conducting deeper audits across its vendor ecosystem and plans to increase security requirements for all third-party partners. In its statement, OpenAI reiterated that trust, security and privacy continue to be central to its products and operations.

The platform is also notifying all affected organisations, admins and users directly.

OpenAI has warned that the exposed information could be used in phishing or social engineering attempts, since names, email addresses and API identifiers were part of the leaked dataset. Users have been advised to be cautious when receiving emails or messages that appear to come from OpenAI, especially if they contain links or ask for personal details.

OpenAI also reminded users that it never requests passwords, API keys or verification codes via email, text or chat. It recommended enabling multi-factor authentication to add another layer of protection.