What to learn about a contemporary Mixpanel safety incident

Leave a Comment / AI Tools & Automation / By
20250904 0904 abstract blue waves remix 01k4aqegw6fye8vvg7zf4py8k3 1 1 .png


December 19, 2025 explanation: We’re updating the weblog to elucidate the outline of impacted customers. The unique weblog mentioned that “API customers” have been impacted. It’s been up to date so as to add: “It additionally affected a restricted choice of ChatGPT customers who submitted lend a hand middle tickets or have been logged into platform.openai.com(opens in a brand new window).” All impacted customers have been known and notified similtaneously a part of the unique outreach to customers. Excluding this explanation, not anything else about our figuring out of the incident, together with the kind of data concerned, has modified. 

Transparency is essential to us, so we wish to let you know a few contemporary safety incident at Mixpanel, a knowledge analytics supplier OpenAI used for internet analytics at the frontend interface for our API product (platform.openai.com(opens in a brand new window)). 

The incident passed off inside of Mixpanel’s programs and concerned restricted analytics information similar to a couple customers of the API. It additionally affected a restricted choice of ChatGPT customers who submitted lend a hand middle tickets or have been logged into platform.openai.com.

This was once no longer a breach of OpenAI’s programs. No chat, API requests, API utilization information, passwords, credentials, API keys, fee main points, or executive IDs have been compromised or uncovered.

On November 9, 2025, Mixpanel was acutely aware of an attacker that won unauthorized get admission to to a part of their programs and exported a dataset containing restricted buyer identifiable data and analytics data. Mixpanel notified OpenAI that they have been investigating, and on November 25, 2025, they shared the affected dataset with us. 

What this implies for impacted customers

  • Identify that was once supplied to us at the account 
  • Electronic mail deal with related to the account
  • Approximate coarse location according to person browser (town, state, nation)
  • Working machine and browser used to get admission to the account
  • Referring web pages
  • Group or Consumer IDs related to the account

As a part of our safety investigation, we got rid of Mixpanel from our manufacturing products and services, reviewed the affected datasets, and are running carefully with Mixpanel and different companions to totally perceive the incident and its scope. We’re within the strategy of notifying impacted organizations, admins, and customers without delay. Whilst we’ve got discovered no proof of any impact on programs or information outdoor Mixpanel’s surroundings, we proceed to observe carefully for any indicators of misuse. 

Accept as true with, safety, and privateness are foundational to our merchandise, our group, and our undertaking. We’re dedicated to transparency, and are notifying all impacted consumers and customers. We additionally dangle our companions and distributors in command of the absolute best bar for safety and privateness in their products and services. After reviewing this incident, OpenAI has terminated its use of Mixpanel. 

Past Mixpanel, we’re undertaking further and expanded safety opinions throughout our dealer ecosystem and are raising safety necessities for all companions and distributors.

What you must bear in mind  

The tips that can were affected right here might be used as a part of phishing or social engineering assaults towards you or your company. 

Since names, electronic mail addresses, and OpenAI API metadata (e.g., person IDs)  have been incorporated, we inspire you to stay vigilant for credible-looking phishing makes an attempt or junk mail. As a reminder:

  • Deal with sudden emails or messages with warning, particularly in the event that they come with hyperlinks or attachments.
  • Double-check that any message claiming to be from OpenAI is shipped from an professional OpenAI area.
  • OpenAI does no longer request passwords, API keys, or verification codes thru electronic mail, textual content, or chat.
  • Additional offer protection to your account via enabling multi-factor authentication(opens in a brand new window)

The protection and privateness of our merchandise are paramount, and we stay resolute in protective your data and speaking transparently when problems stand up. Thanks in your persevered believe in us. 

Why did OpenAI use Mixpanel?

  • Mixpanel was once used as a third-party internet analytics supplier to lend a hand us perceive product utilization and enhance our products and services for our API product (platform.openai.com). A restricted choice of ChatGPT customers who submitted tickets throughout the lend a hand middle or who have been logged into platform.openai.com can have had the ideas described above logged via Mixpanel. Those customers have been known on the time and feature already been notified.

Was once this led to via a vulnerability in OpenAI’s programs?

  • No. This incident was once restricted to Mixpanel’s programs and didn’t contain unauthorized get admission to to OpenAI’s infrastructure.

How do I do know if my group or I have been impacted?

  • We’re within the strategy of notifying the ones impacted now, and we will be able to achieve out to you, or your company admin, without delay by the use of electronic mail to let you know.

Was once any of my API information, activates, or outputs affected?

  • No. Chat content material, activates, responses, or API utilization information weren’t impacted.

Had been ChatGPT accounts suffering from this?

  • Some customers of ChatGPT who submitted tickets throughout the lend a hand middle or have been logged into platform.api.com can have been impacted. They’d been notified up to now.

Had been OpenAI passwords, API keys, or fee data uncovered?

  • No. OpenAI passwords, API keys, fee data, executive IDs, and account get admission to credentials weren’t impacted. Moreover, we’ve got showed that consultation tokens, authentication tokens, and different delicate parameters for OpenAI products and services weren’t impacted.

Do I want to reset my password or rotate my API keys?

  • As a result of passwords and API keys weren’t affected, we aren’t recommending resets or key rotation in line with this incident.

What are you doing to offer protection to my non-public data and privateness?

  • We’ve got acquired the impacted datasets for unbiased evaluation and are proceeding to research doable affect, and track carefully for any indicators of misuse. We’re notifying all in my view impacted customers and organizations and are in touch with Mixpanel on additional reaction movements.

Has Mixpanel been got rid of from OpenAI merchandise?

Must I permit multi-factor authentication for my account?

  • Sure. Whilst account credentials or tokens weren’t impacted on this incident, as a easiest follow safety keep an eye on, we advise all customers permit multi-factor authentication to additional offer protection to their accounts. For enterprises and organizations, we advise that MFA is enabled on the unmarried sign-on layer. 

Will I obtain additional updates if one thing adjustments?

  • We’re dedicated to transparency and can stay you knowledgeable if we establish new data that materially impacts impacted customers. We can additionally replace this FAQ. 

Is there somebody I will be able to achieve out to if I’ve questions?




Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Subscribe