Artificial intelligence (AI) company OpenAI was impacted by a third-party breach affecting analytics company Mixpanel, exposing “limited” user data.
“On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information,” the company wrote in a data breach incident notification on its website.
The ChatGPT maker leverages Mixpanel’s data analytics services to track API user activity on the frontend.
Did the OpenAI third-party breach affect ChatGPT users?
OpenAI says the third-party breach affected only API users and did not impact other products, including the popular AI chatbot ChatGPT.
It also did not leak chats, API data, account credentials (passwords and API keys), payment information (credit cards or bank accounts), or government-issued IDs, such as Social Security Numbers, driver’s licenses, and state or Tax IDs.
“No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed,” the ChatGPT maker explained.
Similarly, the third-party breach did not affect OpenAI’s internal systems and infrastructure. Thus, its operations were unaffected, and users did not experience any downtime.
“This incident was limited to Mixpanel’s systems and did not involve unauthorized access to OpenAI’s infrastructure,” noted OpenAI.
OpenAI third-party breach exposed onl
Source: https://www.cpomagazine.com/cyber-security/third-party-breach-leaks-openais-api-user-data/
Eliza cybersecurity rating report: https://www.rankiteo.com/company/elizahq
"id": "ELI1764872418",
"linkid": "elizahq",
"type": "Breach",
"date": "12/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'incident': {'affected_entities': [{'customers_affected': 'API users',
'industry': 'Artificial Intelligence',
'location': None,
'name': 'OpenAI',
'size': None,
'type': 'Company'},
{'customers_affected': None,
'industry': 'Data Analytics',
'location': None,
'name': 'Mixpanel',
'size': None,
'type': 'Company'}],
'attack_vector': 'Unauthorized system access',
'customer_advisories': "Notification on OpenAI's website "
'regarding the breach',
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Yes',
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': 'Yes '
'(limited)',
'sensitivity_of_data': 'Limited',
'type_of_data_compromised': 'Customer '
'identifiable '
'information, '
'analytics '
'information'},
'date_detected': '2025-11-09',
'description': 'OpenAI was impacted by a third-party breach '
'affecting analytics company Mixpanel, exposing '
'limited user data. The attacker gained '
"unauthorized access to Mixpanel's systems and "
'exported a dataset containing limited customer '
'identifiable information and analytics '
'information.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Limited customer identifiable '
'information and analytics '
'information',
'downtime': 'None',
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': 'None',
'payment_information_risk': 'None',
'revenue_loss': None,
'systems_affected': "Mixpanel's systems"},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'Mixpanel Data Breach Incident '
'Notification',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Data breach incident '
'notification on website',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'title': 'OpenAI Third-Party Breach via Mixpanel',
'type': 'Third-Party Data Breach'}}