ChatGPT maker OpenAI has confirmed a security incident, which it says is not its fault.
The data breach involves a third-party analytics provider, Mixpanel, which resulted in the exposure of limited user data associated with its API platform.
“This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed,” the company said in an email notifying users on Thursday.
Mixpanel reportedly became aware of an attacker on November 9, OpenAI said.
The threat actor gained unauthorised access to part of its systems and exported a dataset which had limited customer-identifiable information and analytics data.
OpenAI said the information that may have been affected was limited to names, email addresses, and user identifiers.
OpenAI said that it had terminated its use of Mixpanel and reaffirmed that the breach wasn’t caused by any vulnerabilities in OpenAI’s systems.
What does it mean for your data?
The company said it would investigate the breach and urged users to be additionally vigilant of phishing-type attacks and social engineering scams that might attempt to leverage the stolen data.
Users have been encouraged to enable multi-factor authentication as an additional protective measure for their accounts.
While OpenAI said no conversations with ChatGPT were exposed, the incident is a reminder of how much personal data OpenAI has access to as people bear their so
TPRM report: https://www.rankiteo.com/company/openai-master
"id": "ope1764300686.799979",
"linkid": "openai-master",
"type": "Breach",
"date": "2025-11-27T00:00:00.000Z",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': 'Artificial Intelligence',
'location': 'San Francisco, California, '
'USA',
'name': 'OpenAI',
'size': None,
'type': 'Technology Company (AI)'},
{'customers_affected': None,
'industry': 'Data Analytics',
'location': None,
'name': 'Mixpanel',
'size': None,
'type': 'Third-Party Analytics Provider'}],
'attack_vector': 'Unauthorized Access to Third-Party Systems '
'(Mixpanel)',
'customer_advisories': 'Email notification sent to users on '
'2023-11-09 (exact date not specified in '
'text).',
'data_breach': {'data_encryption': None,
'data_exfiltration': True,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': ['Names',
'Email '
'Addresses',
'User '
'Identifiers'],
'sensitivity_of_data': 'Low to Moderate (no '
'financial, credential, '
'or conversation data '
'exposed)',
'type_of_data_compromised': ['Customer-Identifiable '
'Information',
'Analytics Data']},
'date_detected': '2023-11-09',
'description': 'OpenAI confirmed a security incident involving a '
'third-party analytics provider, Mixpanel, which '
'resulted in the exposure of limited user data '
'associated with its API platform. The breach was '
'not due to vulnerabilities in OpenAI’s systems '
'but involved unauthorized access to Mixpanel’s '
'systems, leading to the exfiltration of a '
'dataset containing names, email addresses, and '
'user identifiers. OpenAI terminated its use of '
'Mixpanel and urged users to enable multi-factor '
'authentication (MFA) as a precaution against '
'phishing and social engineering attacks.',
'impact': {'brand_reputation_impact': 'Potential erosion of '
'trust due to third-party '
'breach, though OpenAI '
'clarified no direct '
'compromise of its systems '
'or sensitive data (e.g., '
'chats, payment details).',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': ['Names',
'Email Addresses',
'User Identifiers'],
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'Low (limited to names, '
'emails, and user IDs, but '
'phishing/social engineering '
'risk highlighted)',
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['Mixpanel’s Analytics Systems']},
'investigation_status': 'Ongoing (OpenAI investigating the '
'breach)',
'lessons_learned': 'Risks associated with third-party vendors '
'highlight the need for rigorous vendor '
'security assessments and contractual '
'obligations for data protection. Proactive '
'user communication and MFA adoption can '
'mitigate post-breach risks.',
'post_incident_analysis': {'corrective_actions': ['Termination '
'of Mixpanel’s '
'services',
'User '
'notifications '
'and MFA '
'recommendations.'],
'root_causes': ['Unauthorized access '
'to Mixpanel’s '
'systems by an '
'unknown threat '
'actor.']},
'recommendations': ['Conduct thorough security audits of '
'third-party vendors with access to user '
'data.',
'Implement stricter data minimization '
'practices for analytics providers.',
'Enhance user education on phishing and '
'social engineering risks.',
'Encourage widespread adoption of '
'multi-factor authentication (MFA).'],
'references': [{'date_accessed': None,
'source': 'OpenAI User Notification Email',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': ['Email notifications to '
'users',
'Public clarification '
'that OpenAI’s systems '
'were not breached'],
'containment_measures': ['Termination of Mixpanel’s '
'services'],
'enhanced_monitoring': None,
'incident_response_plan_activated': True,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': ['Investigation into the '
'breach',
'User notifications',
'Encouragement to enable '
'MFA'],
'third_party_assistance': None},
'stakeholder_advisories': 'Users advised to enable MFA and '
'remain vigilant against phishing '
'attempts.',
'title': 'OpenAI Third-Party Data Breach via Mixpanel',
'type': 'Data Breach (Third-Party)'}}