OpenAI Users Warned of Phishing Risk After Mixpanel Analytics Provider Breach
OpenAI has disclosed a security incident at the third-party web-analytics provider Mixpanel that affected a subset of users of the platform.openai.com API service. The event did not involve any breach of OpenAI’s own systems, nor any exposure of chats, passwords, or API keys. Only a limited set of analytics data was compromised, yet the company warns of elevated risks of phishing and social-engineering attacks in the aftermath.
According to OpenAI, the incident occurred within Mixpanel’s infrastructure and did not impact OpenAI’s operational systems. On 9 November 2025, Mixpanel detected unauthorized access to part of its environment: an adversary succeeded in exfiltrating a dataset containing client analytics. Mixpanel notified OpenAI as it opened an investigation, and on 25 November provided the company with a copy of the affected data to assess the scope of the breach.
Potentially exposed were profile-level details of certain API users that Mixpanel collected through its role as the analytics provider for platform.openai.com. The exfiltrated dataset may have included the name associated with the API account, email address, approximate browser-derived location (city, state, country), operating-system and browser information, referrer sites, and organization or user identifiers linked to the account.
Crucially, chat content, prompts and model responses, API-usage data, passwords, API keys, payment information, government identifiers, and other sensitive credentials were never at risk and remained entirely within OpenAI’s infrastructure. The company also states that session and authentication tokens, along with other critical access parameters, were not affected.
In response, OpenAI fully disconnected Mixpanel from its production services and launched its own investigation into the compromised datasets. The company is working with Mixpanel and other partners to clarify the event and is simultaneously conducting expanded audits across its entire supplier chain. Following this review, OpenAI has discontinued its use of Mixpanel and announced heightened security requirements for all contractors and vendors.
OpenAI has begun directly notifying organizations, administrators, and individual users whose information may have been included in the exfiltrated dataset. While the company currently sees no evidence that the data has been misused outside Mixpanel’s environment, it continues active monitoring for any downstream impact.
The primary risk for affected users is phishing and social-engineering campaigns leveraging real names, email addresses, and OpenAI account metadata. OpenAI urges users to treat unexpected messages with caution — particularly those containing links or attachments — and to verify that any “official” communication originates from valid OpenAI domains. The company stresses that OpenAI never requests passwords, API keys, or verification codes via email, SMS, or chat.
As an additional safeguard, OpenAI recommends enabling multi-factor authentication for individual accounts and enforcing MFA at the single-sign-on level within corporate environments. The company reiterates that security and privacy remain paramount priorities and promises to inform users promptly if any new material information about the incident emerges.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
