OpenAI Confirms Data Breach—Here’s Who Is Impacted

A breach at analytics provider Mixpanel earlier this month exposed account names, email addresses, and browser locations for some users of OpenAI’s API, the AI giant confirmed Wednesday, raising concerns that cybercriminals could use the stolen metadata in targeted phishing attempts.

According to Mixpanel, on November 8, an unknown attacker gained access to part of its systems and exported a dataset containing customer-identifiable metadata and analytics information. The stolen data included usernames, email addresses, approximate browser-based location, operating system, and browser details.

OpenAI said the breach did not include users’ prompts, API keys, payment information, or authentication tokens.

Only data from users who accessed OpenAI’s tech via the API—aka, via external apps powered by GPT—was leaked, the company said. In other words, if you access the ChatGPT chatbot directly from OpenAI’s website, then you won’t be impacted here.

“As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope,” OpenAI said in a statement.

Founded in 2009, the San Francisco-based Mixpanel is a product analytics platform used to track user behavior across web and mobile applications. The company said it detected the “smishing” campaign, and after an initial investigation and response, alerted OpenAI the next day.

“We are committed to transparency, and are notifying all impacted customers and users,” OpenAI said. “We also hold our partners and vendors accountable for the highest bar for security and privacy of their services.”

Smishing is a type of phishing attack conducted through SMS messages. According to an October report by infrastructure management company Spacelift, smishing accounted for 39% of all mobile threats in 2024.

Mixpanel said it secured affected accounts, revoked active sessions, rotated compromised credentials, and blocked malicious IP addresses. The company also reset employee passwords, hired external cybersecurity firms, and reviewed authentication, session, and export logs.

After the breach, Mixpanel said it began notifying impacted customers about the incident.

“If you have not heard from us directly, you were not impacted,” Mixpanel CEO Jen Taylor said in a statement. “We continue to prioritize security as a core tenet of our company, products, and services. We are committed to supporting our customers and communicating transparently about this incident.”

Despite Mixpanel’s reporting of the incident to OpenAI, the ChatGPT developer said it was cutting ties with the analytics firm. “After reviewing this incident, OpenAI has terminated its use of Mixpanel,” they wrote.

Some OpenAI customers took to social media to express frustration with the revelation that a third-party service had access to their information.

“I’m not very happy about this. […] Why did they have to pass on my name and email address to Mixpanel?” one user wrote on X. “I’m just a hobbyist trying to make small experiments.”

“OpenAI sending names and emails to a third party analytics platform (Mixpanel) feels wildly irresponsible,” another wrote.

OpenAI and Mixpanel did not immediately respond to requests for comment by Decrypt.