OpenAI data breach exposes user information via Mixpanel analytics

Third-Party Analytics Provider Compromised

OpenAI confirmed on Wednesday that a security incident at analytics provider Mixpanel earlier this month exposed account names, email addresses, and browser location data for some users of OpenAI’s API. The breach occurred on November 8 when an unknown attacker gained access to Mixpanel’s systems and exported customer-identifiable metadata.

According to the investigation, the stolen information included usernames, email addresses, approximate browser-based location data, operating system details, and browser specifications. However, OpenAI was quick to clarify that the breach did not include users’ actual prompts, API keys, payment information, or authentication tokens.

Limited Impact Scope

The exposure only affected users who accessed OpenAI’s technology through external applications powered by GPT via the API. If you’ve been using ChatGPT directly through OpenAI’s website, your data wasn’t part of this breach. That’s an important distinction that might provide some relief to many users.

OpenAI stated they’ve taken immediate action by removing Mixpanel from their production services and conducting a thorough review of the affected datasets. They’re working closely with Mixpanel and other partners to fully understand the incident’s scope and implications.

Mixpanel’s Response and Security Measures

Mixpanel, founded in 2009 and based in San Francisco, is a product analytics platform used to track user behavior across web and mobile applications. The company detected what they described as a “smishing” campaign—phishing attacks conducted through SMS messages. After their initial investigation and response, they alerted OpenAI the following day.

The analytics firm implemented several security measures following the breach, including securing affected accounts, revoking active sessions, rotating compromised credentials, and blocking malicious IP addresses. They also reset employee passwords, hired external cybersecurity firms, and reviewed authentication, session, and export logs.

Customer Reactions and OpenAI’s Decision

Despite Mixpanel’s response and transparency efforts, OpenAI has decided to terminate its relationship with the analytics provider. “After reviewing this incident, OpenAI has terminated its use of Mixpanel,” the company stated.

Some OpenAI customers expressed frustration on social media about the revelation that their information was being shared with third-party services. One user questioned why their name and email had to be passed to Mixpanel, noting they were just “a hobbyist trying to make small experiments.” Another described the data sharing as “wildly irresponsible.”

Mixpanel CEO Jen Taylor emphasized that the company is notifying all impacted customers directly, stating “If you have not heard from us directly, you were not impacted.” The company continues to prioritize security as a core tenet of their operations and remains committed to transparent communication about the incident.

This breach highlights the ongoing challenges companies face in maintaining data security across their entire technology stack, particularly when relying on third-party service providers for analytics and other functions.