Supply Chain Attack on OpenAI: Analytics Provider Mixpanel Compromised – Against Invaders

Redazione RHC:27 November 2025 10:30

OpenAI has confirmed a security incident at Mixpanel, a third-party analytics provider used for its APIs. According to the investigation, the cause of the security incident involving OpenAI and Mixpanel has been identified as a breach of Mixpanel’s systems, ruling out any involvement of OpenAI’s infrastructure.

The preliminary investigation indicates that an attacker gained unauthorized access to a portion of the Mixpanel environment and extracted a dataset containing limited identifying information about some OpenAI API users. OpenAI has stated that the incident did not affect users of ChatGPT or other consumer products.

Mixpanel Incident: What Happened?

The OpenAI Mixpanel security incident began on November 9, 2025, when Mixpanel detected an intrusion into its systems. The attacker successfully exported a dataset containing identifiable customer information and analytics data. Mixpanel notified OpenAI the same day and shared the affected dataset for review on November 25.

The exfiltrated dataset was strictly limited to analytics data collected through the Mixpanel tracking setup on platform.openai.com, the frontend interface for OpenAI’s API product.

OpenAI emphasized that despite the breach, no OpenAI systems were compromised and that no sensitive information such as chat content, API requests, prompts, output, API keys, passwords, payment details, government IDs, or authentication tokens were exposed.

Potentially exposed information

OpenAI confirmed that the type of information potentially included in the dataset included:

• Names provided in API accounts
• Email addresses associated with API accounts
• Approximate location data (city, state, country) based on browser metadata
• Operating system and browser information
• Reference websites
• Organization or user IDs linked to API accounts

OpenAI’s Response and Security Measures

In response to the Mixpanel security incident, OpenAI immediately removed Mixpanel from all production services and began reviewing the affected datasets. The company is actively notifying affected organizations, administrators, and users through direct communications.

OpenAI said it has not found any indication of impact outside of Mixpanel systems, but continues to closely monitor the situation for signs of misuse.

To build user trust and enhance data protection, OpenAI has:

• He stopped using Mixpanel
• Began conducting advanced security reviews on all third-party vendors
• Increased security requirements for partners and service providers
• It has launched a broader review of its supplier ecosystem

OpenAI reiterated that trust, security, and privacy remain at the core of its mission and that transparency is a priority when addressing incidents involving user data.

Phishing and social engineering risks for affected users

While the exposed information does not include highly sensitive data, OpenAI warned that the affected details, such as names, email addresses, and user IDs, could be exploited for phishing or social engineering attacks.

The company has urged users to be wary of suspicious messages, especially those containing links or attachments. Users are advised to:

• Verify messages claiming to be from OpenAI
• Beware of unwanted communications
• Enable multi-factor authentication (MFA) on their accounts
• Avoid sharing passwords, API keys, or verification codes

OpenAI has confirmed that it will provide further updates as new information emerges from the ongoing investigation. Concerned users can contact [emailprotected] for support or clarification.