OpenAI has revealed a data breach involving its third-party analytics provider, Mixpanel, that exposed limited user data tied to the company’s API platform (platform.openai.com). OpenAI confirmed that its own systems were not compromised, with no chats, API requests, passwords, or sensitive credentials exposed.
Mixpanel picked up on a smishing campaign targeting its staff on November 8, 2025, and immediately launched its incident response to contain the threat and lock down affected accounts. They informed OpenAI during its investigation and later provided details about the exposed data on November 25, 2025. The compromised information included names, email addresses, approximate location data (city, state, and country), operating systems and browsers, referring websites, and organization or user IDs associated with API accounts. OpenAI verified that sensitive data, including chat logs, API keys, passwords, payment details, and government-issued IDs, was not compromised. In response, OpenAI discontinued using Mixpanel in its production environment and began notifying affected users and organizations.
While the breach did not compromise OpenAI’s core systems or sensitive user credentials, the exposed data increases the risk of phishing and social engineering attacks. Attackers with access to names, emails, and system profiles could craft convincing fraudulent messages targeting affected users or organizations. OpenAI advised users to remain vigilant, verify any suspicious communications claiming to be from the company, and never share sensitive information such as passwords or verification codes by email or text. Mixpanel responded by restricting affected customer accounts, ending active sessions, blocking the intruder’s network addresses, replacing exposed credentials, resetting workforce passwords, and reviewing relevant logs.
Mixpanel has also brought in external cyber forensics experts to dig deeper. They flagged related IOCs for ongoing monitoring and implemented stronger controls. The company has engaged law enforcement and cybersecurity specialists and is treating the incident as a serious criminal case.
This breach highlights the hidden risks posed by third-party providers that hold user data, even when it’s metadata rather than core credentials. OpenAI’s prompt disclosure and swift actions show a serious approach to managing vendor risks and protecting users. At the same time, it’s a reminder that names and email addresses alone can be starting points for cyberattacks, so vigilance remains essential.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
