OpenAI reports third party data breach affecting API Users through analytics provider Mixpanel
Learn More
OpenAI is reporting a security incident affecting users of its application programming interface (API) platform after a breach at Mixpanel, a third-party web analytics provider the company used for tracking usage on platform.openai.com.
OpenAI emphasized that this was not a breach of its own systems and exposed limited user information belonging to an undisclosed number of API account holders. ChatGPT users and the core ChatGPT platform are not affected by this breach, and no chat content, API usage data, passwords, payment details, or government identification documents were compromised.
On November 9, 2025 an attacker gained unauthorized access to portions of Mixpanel's systems and exported a dataset containing customer identifiable information and analytics data.
Mixpanel notified OpenAI that it was investigating the incident and shared the affected dataset with the AI company on November 25, 2025. The compromised data includes:
- Names provided on API accounts
- Email addresses associated with API accounts
- Approximate coarse location data based on IP addresses and browser information (city, state, country)
- Operating system and browser types used to access accounts
- Referring websites
- Organization and User IDs associated with API accounts
The number of affected individuals is not disclosed. The company has warned affected users that the exposed information could be used in phishing or social engineering attacks.
OpenAI recommends that potentially impacted users to be careful of phishing attempts, treat unexpected emails with caution especially those containing links or attachments, verify that communications claiming to be from OpenAI originate from official company domains, and enable multi-factor authentication on their accounts.
The company has set up a dedicated email address (mixpanelincident@openai.com) for users to direct questions or concerns about the incident.
