  OpenAI Confirms User Data Exposed After Mixpanel Security Breach

OpenAI Confirms User Data Exposed After Mixpanel Security Breach

OpenAI said that some of the data relating to its API users, such as name, email, and location, could have been compromised.

Written by Akash Dutta, Edited by Rohan Pal | Updated: 27 November 2025 16:24 IST
OpenAI Confirms User Data Exposed After Mixpanel Security Breach

Photo Credit: Reuters

OpenAI has asked impacted users to remain vigilant for credible-looking phishing attempts

Highlights
  • The Mixpanel data breach occurred on November 9
  • OpenAI said no chat, password, or API keys were exposed
  • The AI giant has removed Mixpanel from its production services
OpenAI's user data was exposed in a recent Mixpanel data breach, the company stated on Thursday. The San Francisco-based artificial intelligence (AI) giant revealed that while most of its sensitive user data, and the data of the end-users accessing ChatGPT, Sora app, and the ChatGPT Atlas browser was not exposed in this breach, some information about its application programming interface (API) users might have been leaked. The company has now started a security investigation, and OpenAI has stopped using Mixpanel services.

OpenAI's API Data Might Have Been Breached

In a newsroom post, the AI giant detailed the data breach incident that occurred on November 9. Mixpanel's systems were hacked into by an attacker and the threat actor was able to export a dataset that also included information about OpenAI's users. However, the ChatGPT maker said that the breached dataset contained limited customer identifiable information and analytics information. Mixpanel shared the affected dataset with the AI company on November 25, stating that they were investigating the incident.

OpenAI also highlighted that its servers and products were not impacted in this data breach, and sensitive data, such as that, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs, were not compromised.

Detailing the impact OpenAI's API users should expect, the company said that user profile information associated with the use of “platform.openai.com” might have been included in the exported data. The particulars of the breach could include:

  • Name that was provided to OpenAI on the API account 
  • Email address associated with the API account
  • Approximate coarse location based on API user browser (city, state, country)
  • Operating system and browser used to access the API account
  • Referring websites
  • Organisation or User IDs associated with the API account

As a response, the ChatGPT maker has removed Mixpanel from its production services. It has also reviewed the affected datasets and is working with the digital analytics company and other partners to understand the full scope of the breach. “While we have found no evidence of any effect on systems or data outside Mixpanel's environment, we continue to monitor closely for any signs of misuse,” the company said.

As a preventive measure, the AI giant has requested all potentially impacted users to remain alert towards “credible-looking phishing attempts or spam.”

Further reading: OpenAI, Mixpanel, data privacy, cybersecurity, AI, Artificial Intelligence
