OpenAI terminates Mixpanel after security breach exposes user details

OpenAI has unveiled a security breach incident involving Mixpanel, a third party analytics provider used to track usage on the company’s API platform.

The incident occurred within Mixpanel’s systems, exposing limited user information. However, OpenAI confirmed that its core systems or sensitive data was not compromised.

As outlined in the OpenAI’s transparency notice, the breach was confined to Mixpanel’s infrastructure and affected only users of “platform.openai.com.”

It is also confirmed that ChatGPT users and other OpenAI products remained unaffected. The company also noted that no chat content, API requests, passwords, credentials, API keys, payment information, or government IDs were compromised.

The timeline of incident highlights Mixpanel detected unauthorized access to its systems on November 9, 2025 with OpenAI receiving confirmation and the affected dataset on November 25.

The information that was compromised includes:

• Names associated with API accounts
• Email Addresses
• Approximate location data (city, state, country)
• Browser and operating system information
• Referring websites
• Organisations and user IDs

Responding to the incident, OpenAI has removed Mixpanel from its production services and terminated their partnership.

The company is conducting expanded security reviews across its vendor ecosystem and elevating security requirements for all partners.

OpenAI warned that the exposed information can be used in phishing or social engineering attacks.

Users are advised to treat unexpected emails with caution, authenticate sender domains, and enable multi-factor authentication as a precautionary measure.

The company confirms that password changes and API key rotations are unnecessary since these details were not compromised.