OpenAI Confirms User Data Exposed After Mixpanel Security Breach, Launches Probe

OpenAI has confirmed that some user information was exposed following a security breach involving analytics partner Mixpanel. The company disclosed on Thursday that while the incident did not compromise sensitive data or affect core products such as ChatGPT and Sora, limited details linked to its API users may have been leaked.

The breach occurred on November 9, when a threat actor infiltrated Mixpanel’s systems and exported a dataset containing analytics from several organisations, including OpenAI. The AI firm added that Mixpanel notified it on November 25 as part of the ongoing investigation.

No Passwords, API Keys, Payment Data Impacted

According to OpenAI, servers and products remained secure during the incident, and critical data, including API usage details, credentials, government IDs, and payment information, was not affected.

However, some user profile information associated with “platform.openai.com” may have been included in the compromised dataset, such as:

• Name linked to the API account
• Email address
• Coarse location (city, state, country) based on browser data
• Browser and operating system used
• Referring website information
• Organisation or user IDs associated with the account

As a precaution, OpenAI removed Mixpanel from its production environment and is reviewing the affected data with its analytics partner and cybersecurity experts to determine the full impact.

“We have found no evidence of any effect on systems or data outside Mixpanel’s environment, but we continue to monitor closely for any signs of misuse,” the company stated.

Users Asked To Stay Vigilant

OpenAI has reached out to potentially affected API users, advising them to be cautious of suspicious emails or credible-looking phishing attempts, a common risk following data exposure incidents.

While the investigation continues, the company emphasised that the privacy and security of its growing user base remains a priority, and that the breach did not involve end-users of ChatGPT, the Sora app, or the ChatGPT Atlas browser.