OpenAI Confirms Mixpanel Security Incident, No Core Data Exposed

San Francisco, CA – OpenAI has confirmed a security incident involving Mixpanel, a third-party web analytics provider, affecting its API product frontend on November 27, 2025. An attacker gained unauthorized access to Mixpanel’s systems, leading to the export of a dataset containing limited identifiable information of some OpenAI API users.

Mixpanel first detected the unauthorized intrusion on November 9, 2025. The company alerted OpenAI about the breach, which only compromised Mixpanel’s infrastructure, not OpenAI’s systems. OpenAI emphasized that chat content, API requests, passwords, and payment details remained uncompromised despite the incident.

The exported dataset included basic user profile and analytics information associated with the platform.openai.com interface. OpenAI announced it received the affected dataset from Mixpanel on November 25, allowing the company to investigate further and notify affected users.

In response to the exposure, OpenAI acted promptly by removing Mixpanel from its production services. The report stated that the company completed a thorough review of the affected datasets and confirmed the termination of its partnership with Mixpanel, focusing on alerting impacted organizations and users via email.

While OpenAI has found no evidence of misuse, it is closely monitoring for signs of malicious activity. To enhance security, OpenAI is conducting expanded reviews across its vendor ecosystem and strengthening its security requirements for third-party partners.

OpenAI is advising API users to remain vigilant against phishing attempts following the incident but will not require users to reset passwords or rotate API keys. For additional concerns, users can reach out to OpenAI’s support team.