OpenAI dumps Mixpanel after Nov 9 breach exposes API user emails, names via SMS phishing attack

OpenAI Mixpanel Data Breach – Interactive Security Tracker

🚨

OpenAI Data Breach Alert: API User Information Exposed

Third-party analytics provider Mixpanel compromised via SMS phishing attack

Users accessing OpenAI’s API platform woke up to security breach notifications on November 27, 2025, following a data compromise at Mixpanel, the company’s third-party analytics provider. The incident exposed limited identifying information for API users while leaving ChatGPT users and core OpenAI systems unaffected.

The breach originated from a smishing campaign (SMS phishing) that Mixpanel detected on November 8, 2025. An attacker gained unauthorized access to Mixpanel’s systems on November 9, exporting a dataset containing customer identifiable information and analytics data. Mixpanel shared the affected dataset with OpenAI on November 25, prompting immediate action and user notifications.

Only users of OpenAI’s API platform at platform.openai.com were potentially impacted. No chat content, API requests, passwords, API keys, payment details, or government IDs were compromised. OpenAI terminated its partnership with Mixpanel and removed the service from all production systems following the incident.

The exposed information includes names, email addresses, approximate geographic locations (city, state, country), operating system and browser details, referring websites, and organization or user IDs associated with API accounts. Security experts warn this data could be leveraged in targeted phishing campaigns against developers and organizations.

Breach Impact at a Glance

Understanding what data was exposed and what remains secure in the Mixpanel security incident

📧

EXPOSED

Email Addresses

👤

EXPOSED

User Names

📍

EXPOSED

Approximate Locations

🔧

API ONLY

platform.openai.com Users

🔒

SECURE

ChatGPT Conversations

🔑

SECURE

Passwords & API Keys

Attack Timeline: How the Breach Unfolded

A chronological breakdown of the Mixpanel security incident from detection to disclosure

November 8, 2025

Mixpanel detects smishing (SMS phishing) campaign targeting employee credentials and promptly activates incident response processes to contain the threat and investigate suspicious activity.

November 9, 2025

Attacker gains unauthorized access to Mixpanel systems and exports dataset containing limited customer identifiable information and analytics data from multiple clients including OpenAI.

November 9-25, 2025

Mixpanel conducts internal forensic investigation with third-party security experts to determine full scope of breach. Company secures affected accounts, revokes sessions, rotates credentials, and blocks attacker IP addresses.

November 25, 2025

Mixpanel completes investigation and shares affected dataset with OpenAI, enabling the company to begin notifying impacted organizations and individual API users.

November 27, 2025

OpenAI publicly discloses breach, terminates Mixpanel partnership, removes service from all production systems, and begins directly notifying affected API users via email about potential exposure.

Ongoing Response

OpenAI conducts expanded security audits across entire vendor ecosystem, implements elevated security requirements for all third-party partners, and continues monitoring for signs of data misuse.

Data Exposure Breakdown

Interactive overview of compromised and secure information categories

📧

Email Addresses

EXPOSED

👤

Account Names

EXPOSED

📍

Location Data (City/State)

EXPOSED

💻

OS & Browser Info

EXPOSED

🔗

Referring Websites

EXPOSED

🆔

User/Organization IDs

EXPOSED

💬

Chat Content

SECURE

🔑

Passwords

SECURE

🔐

API Keys

SECURE

💳

Payment Details

SECURE

📄

Government IDs

SECURE

📡

API Usage Data

SECURE

Essential Security Measures

Protect your OpenAI API account and data from potential phishing attempts

Stay Alert for Phishing Attempts

Exercise extreme caution with unexpected emails or messages, especially those containing links or attachments. Attackers may use exposed information to craft convincing phishing campaigns targeting API users and organizations.

Verify All Communications

Always verify that messages claiming to be from OpenAI originate from official OpenAI domains. Remember that OpenAI never requests passwords, API keys, or verification codes through email, text, or chat.

Enable Multi-Factor Authentication

Add an extra security layer to your OpenAI account by enabling MFA. Organizations should implement MFA at the single sign-on level for comprehensive protection across all users and API access points.

Monitor Account Activity

Keep close watch on your OpenAI API account for any unusual activity. Check regularly for unauthorized access attempts, unexpected API usage patterns, or changes to account settings and configurations.

Report Suspicious Activity

If you receive questionable communications claiming to be from OpenAI or notice suspicious account activity, report it immediately to OpenAI’s support team at mixpanelincident@openai.com for investigation.

Follow Official Updates

Stay informed through official OpenAI security updates for the latest information about the breach and any additional protective measures you should implement.

Common Questions About the Breach

Find answers to frequently asked questions about the Mixpanel security incident

Was OpenAI’s system directly breached in this incident? ▼

No. This was not a breach of OpenAI’s systems. The security incident occurred entirely within Mixpanel’s environment, a third-party analytics provider that OpenAI used for web analytics on the frontend interface for their API product at platform.openai.com. OpenAI’s core infrastructure, chat systems, and API services remained secure throughout the incident.

Are ChatGPT users affected by this security breach? ▼

No. Users of ChatGPT and other OpenAI consumer products were not impacted by this incident. The breach only affected users of the OpenAI API platform accessed through platform.openai.com. No chat content, conversations, or ChatGPT account information was exposed in this breach.

Do I need to reset my password or rotate API keys? ▼

No. OpenAI is not recommending users reset their passwords or rotate API keys because these credentials were not compromised in the breach. However, enabling multi-factor authentication is strongly recommended as a best practice security measure to further protect your account against future threats.

How did the attackers gain access to Mixpanel’s systems? ▼

The breach resulted from a smishing campaign (SMS phishing) that Mixpanel detected on November 8, 2025. The attacker successfully compromised employee credentials and gained unauthorized access to part of Mixpanel’s systems on November 9, 2025, subsequently exporting a dataset containing limited customer identifiable information and analytics data.

What actions has OpenAI taken in response to this breach? ▼

OpenAI has terminated its partnership with Mixpanel and removed the service from all production systems. The company is conducting expanded security reviews across its entire vendor ecosystem and elevating security requirements for all third-party partners. OpenAI is also directly notifying all affected organizations and users via email.

How can I confirm if my data was affected by this breach? ▼

OpenAI is notifying all impacted users and organizations directly via email. If you were affected, you should receive direct communication from OpenAI. The breach only impacted users who accessed the API platform at platform.openai.com, not general ChatGPT users. If you have concerns, contact OpenAI at mixpanelincident@openai.com.

What security risks does the exposed data present? ▼

The exposed information (names, email addresses, locations, and user IDs) could potentially be used in phishing or social engineering attacks. Attackers might send emails that appear legitimate, attempting to trick users into revealing sensitive information or clicking malicious links. This is why remaining vigilant about suspicious communications is crucial.

Were other companies affected by the Mixpanel breach? ▼

Yes. Reports confirm that other Mixpanel customers were also impacted, including CoinTracker, a cryptocurrency portfolio tracker and tax platform, where exposed data included device metadata and limited transaction counts. Mixpanel’s CEO stated that all impacted customers have been contacted directly. If you use other services employing Mixpanel for analytics, check for notifications from those providers.

Understanding the Incident

The security incident at Mixpanel affected a subset of OpenAI’s API users between November 8-9, 2025. The breach exposed limited identifying information including names, email addresses, and metadata, while core systems, credentials, and sensitive data remained secure.

OpenAI responded by terminating the Mixpanel partnership, removing the service from production systems, and notifying affected users within two days of receiving the dataset. The company has initiated expanded security reviews across its vendor ecosystem.

API users should remain vigilant for phishing attempts and verify all communications claiming to be from OpenAI. Multi-factor authentication is recommended for all accounts. Users who have not received direct notification from OpenAI were not impacted by the breach.

The incident occurred within Mixpanel’s infrastructure following a smishing campaign. ChatGPT users and OpenAI’s other products were not affected. No passwords, API keys, payment information, or government IDs were compromised in the breach.

Protect Your Digital Security

Data breaches affecting third-party services are increasingly common. Take proactive steps to secure your accounts and remain vigilant against phishing attempts that may leverage exposed information.

Read OpenAI Official Statement Latest Tech Security News