OpenAI Breach Alert: Mixpanel Incident Exposes Limited API User Data

Company says no API data or credentials were exposed, but warns users to watch out for phishing attempts.

Third-party breach exposes limited API account metadata

OpenAI is notifying customers about a security incident involving Mixpanel, a third-party analytics provider previously used on the frontend of its API platform. The intrusion occurred entirely within Mixpanel’s systems and affected a subset of analytics data linked to API user accounts, the company says. OpenAI emphasized that its own infrastructure remains secure: “This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.”

Mixpanel first detected the unauthorized access on Nov. 9, 2025. Investigators later confirmed that an attacker had exported a dataset containing customer-identifiable metadata. The provider supplied OpenAI with the impacted dataset on Nov. 25, enabling a detailed examination of the information exposed.

What data was impacted

The compromised information consisted mainly of profile and analytics details associated with logins on platform.openai.com. OpenAI informed customers that the exported records may have contained the following:

• Account names
• Email addresses
• Approximate location derived from browser data
• Device details
• Referring websites
• User or organization identifiers

The company said no sensitive authentication data or API content was included.

While the breach was confined to Mixpanel, the metadata involved could still be misused in targeted phishing or impersonation. OpenAI reiterated this concern in its notice, warning that attackers may craft messages that appear credible using exposed identifiers such as email addresses and user IDs.

OpenAI stops using Mixpanel and expands vendor security reviews

Following the incident, OpenAI removed Mixpanel from all production environments and began notifying affected organizations and administrators. The company said it continues to monitor for misuse and has found “no evidence of any effect on systems or data outside Mixpanel’s environment.”

In response to the breach, OpenAI ended its relationship with Mixpanel and launched broader security reviews across its vendor ecosystem. The company said it is raising security requirements for all partners and reaffirmed its commitment to transparency and user protection.

Users encouraged to strengthen account defenses

OpenAI urged API customers to remain vigilant, noting that exposed metadata could fuel socially engineered attacks. The company advised users to treat unexpected messages with caution, verify that communications originate from official OpenAI domains, avoid sharing passwords or API keys, and enable multi-factor authentication (MFA) to strengthen account security.

To further reduce exposure to impersonation attempts and safeguard personal identifiers, users may also consider layering in dedicated protection tools.

Bitdefender Digital Identity Protection helps monitor for leaked personal data across the web and alerts you if your information appears in breaches or malicious marketplaces. For suspicious messages or potential phishing attempts, Bitdefender Scamio offers an easy way to check emails, links, screenshots and chats for signs of fraud before engaging with them. Both tools can serve as an added buffer at a time when threat actors often weaponize even limited metadata.