Mixpanel Incident Prompts OpenAI to Drop Analytics Vendor

OpenAI has issued a public disclosure regarding a recent security incident involving Mixpanel, a third-party data analytics provider previously used to track web analytics for OpenAI’s API platform. According to the company, the breach occurred entirely within Mixpanel’s systems and did not compromise any OpenAI infrastructure, ChatGPT data, or API content.

Mixpanel notified OpenAI on November 9, 2025, that an attacker had gained unauthorized access to a portion of its systems. During this intrusion, the attacker exported a dataset containing limited customer-identifiable analytics information.

After conducting an internal investigation, Mixpanel shared the affected dataset with OpenAI on November 25, allowing the company to begin notifying impacted organizations and users.

OpenAI emphasized that no sensitive information, such as chat history, API request content, API usage details, passwords, API keys, payment data, or government identification, was exposed. The incident primarily involved basic profile metadata associated with users of platform.openai.com.

This includes the name and email address tied to the API account, coarse location data based on browser information, operating system and browser details, referring websites, and user or organization IDs.

Following the incident, OpenAI removed Mixpanel from all production services and terminated its use of the analytics platform. The company stated that it is working closely with Mixpanel to fully understand the scope of the breach and is expanding security reviews across its entire vendor ecosystem.

OpenAI noted that, so far, there is no evidence of misuse beyond Mixpanel’s environment.

However, the company warned API users to remain vigilant. The exposed metadata may be used in phishing or social engineering attempts, particularly through emails crafted to appear credible.

OpenAI urged users to inspect unexpected messages carefully, verify official communication domains, avoid sharing sensitive credentials through email or chat, and enable multi-factor authentication for additional protection.

OpenAI reiterated that transparency and user trust remain central to its operations and committed to continued monitoring and strengthening of its third-party security practices.