OpenAI disclosed a security incident involving its third-party analytics provider, Mixpanel, which affected a subset of its API account users. The breach exposed limited user profile data tied to platform.openai.com, including: - Name (as provided in the API account) - Email address linked to the API account - Coarse location (city/state/country derived from browser data) - Operating system and browser used to access the API - Referring websites - Organization/User IDs associated with the API account. OpenAI emphasized that no core systems, chat data, API requests/usage details, passwords, credentials, API keys, payment information, or government IDs were compromised. The incident was isolated to Mixpanel’s systems, and OpenAI removed the provider as a precaution. While Apple may have been indirectly involved, no customer data was exposed. Notifications were sent to all subscribers, though only API account holders were at risk. The breach was described as low-consequence, with no evidence of malicious exploitation of the exposed data.
Cognita Reply cybersecurity rating report: https://www.rankiteo.com/company/cognita-reply
"id": "COG2035720112725",
"linkid": "cognita-reply",
"type": "Breach",
"date": "5/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences: Attack in which data is not compromised"{'affected_entities': [{'customers_affected': ['API account holders (subset of '
'subscribers)'],
'industry': 'artificial intelligence',
'location': 'San Francisco, California, USA',
'name': 'OpenAI',
'type': 'technology company'},
{'industry': 'data analytics',
'name': 'Mixpanel',
'type': 'third-party vendor'},
{'customers_affected': ['none (no customer data '
'exposed)'],
'industry': 'consumer electronics/software',
'location': 'Cupertino, California, USA',
'name': 'Apple (potentially)',
'type': 'technology company'}],
'customer_advisories': ['public disclosure to all subscribers (including '
'unaffected users)'],
'data_breach': {'data_exfiltration': ['data exported from Mixpanel'],
'personally_identifiable_information': ['name',
'email address',
'coarse location '
'(city/state/country)',
'organization/user '
'IDs'],
'sensitivity_of_data': ['low to moderate (no highly sensitive '
'data like passwords or payment '
'info)'],
'type_of_data_compromised': ['user profile information',
'personally identifiable '
'information (limited)']},
'description': 'OpenAI notified its subscribers about a security incident at '
'Mixpanel, a third-party data analytics provider used for web '
"analytics on OpenAI's API platform (platform.openai.com). The "
'breach exposed limited user profile information of OpenAI API '
'account holders, including names, email addresses, coarse '
'location data, OS/browser details, referring websites, and '
'organization/user IDs. OpenAI clarified that its own systems '
'were not breached, and no chat data, API requests, '
'credentials, payment details, or government IDs were '
'compromised. OpenAI removed Mixpanel from its production '
'services and launched an investigation to determine the full '
'scope of the incident.',
'impact': {'brand_reputation_impact': ['proactive transparency may mitigate '
'reputational harm'],
'data_compromised': ['user profile information (API account '
'holders only)',
'name (provided to OpenAI)',
'email address (associated with API account)',
'coarse location (city, state, country, based '
'on browser)',
'operating system and browser used',
'referring websites',
'organization or user IDs (associated with '
'API account)'],
'identity_theft_risk': ['low (limited PII exposed)'],
'operational_impact': ["removal of Mixpanel from OpenAI's "
'production services'],
'payment_information_risk': ['none (no payment details exposed)'],
'systems_affected': ['Mixpanel (third-party analytics provider)']},
'investigation_status': ['ongoing (OpenAI investigating full scope)'],
'post_incident_analysis': {'corrective_actions': ['removal of Mixpanel from '
'production services']},
'references': [{'source': 'OpenAI (official notification)'},
{'source': 'Bleeping Computer'},
{'source': '9to5Mac'}],
'response': {'communication_strategy': ['proactive notification to all '
'subscribers (including unaffected '
'users)',
'direct notification to '
'organizations, administrators, and '
'individual API users',
"public disclosure via OpenAI's "
'website'],
'containment_measures': ["removal of Mixpanel from OpenAI's "
'production services'],
'incident_response_plan_activated': ['investigation launched']},
'stakeholder_advisories': ['notifications sent to organizations, '
'administrators, and API users'],
'title': 'Data Breach at Mixpanel Affecting OpenAI API Users',
'type': ['third-party breach', 'data exposure']}