The attack on the Mixpanel analytics platform exposed OpenAI API user data, although it did not include passwords, keys or payment information.
How did the attack happen?
Artificial intelligence giant OpenAI reported a data breach last week that affected users of its programming interface. The leak occurred as a result of an attack on Mixpanel, an analytical services provider cooperating with the creator of ChatGPT.
According to Mixpanel, an unknown attacker gained access to parts of the company’s systems and exported a dataset containing identifiable customer metadata and analytical information. The stolen data included usernames, email addresses, approximate browser-based location, operating system, and browser details.
OpenAI assures that the leak did not include user questions (prompts), API keys, payment information or authentication tokens. The breach only affected users who used OpenAI technology via API, i.e. through external applications using GPT. People logging directly into the ChatGPT chatbot on the OpenAI website were not affected by the incident.
Companies’ reaction to the incident
In its statement, OpenAI emphasized that as part of its security investigation, it has removed Mixpanel from its production services, has analyzed the affected data sets, and is working with Mixpanel and other partners to fully understand the scope of the incident.
Mixpanel, founded in 2009 in San Francisco, is an analytical platform for tracking user behavior in web and mobile applications. The company detected the smishing campaign and, after an initial investigation, informed OpenAI about the incident the next day.
Smishing is a type of phishing attack carried out via SMS messages. According to an October report from Spacelift, smishing accounted for 39 percent of all mobile threats in 2024.
Corrective actions and consequences
Mixpanel secured affected accounts, revoked active sessions, changed compromised credentials, and blocked malicious IP addresses. The company also reset employee passwords, hired outside cybersecurity firms and analyzed authentication, session and export logs.
Mixpanel CEO Jen Taylor said in a statement that the company had notified all affected customers. Those who did not receive direct contact were not affected by the breach.
Despite Mixpanel reporting the incident, OpenAI decided to end its cooperation with the analytics company.
After reviewing this incident, OpenAI has terminated its use of Mixpanel
– it was written in the statement.
User reactions
Some OpenAI customers expressed frustration on social media that a third-party service had access to their data.
OpenAI committed to transparency and notifying all affected customers, emphasizing that it holds its partners and suppliers accountable to the highest security and privacy standards.
