OpenAI has alerted customers to a security incident involving Mixpanel, a third-party analytics provider the artificial intelligence company previously used to track web analytics on its API platform interface. The breach occurred within Mixpanel’s systems and exposed only limited analytics-level data linked to API accounts, OpenAI said in an email to users on November 27.
The incident occurred within Mixpanel’s systems and involved limited analytics data related to some users of the API. Users of ChatGPT and other products were reportedly not impacted.
“As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope. We are in the process of notifying impacted organizations, admins, and users directly. While we have found no evidence of any effect on systems or data outside Mixpanel’s environment, we continue to monitor closely for any signs of misuse,” OpenAI said in a statement.
This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed, the company mentioned.
“Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel,” firm added.
What happened
On November 9, 2025, Mixpanel detected that an unauthorized party had accessed a portion of its internal systems and downloaded a dataset containing limited customer-identifying details and analytics data. Mixpanel informed OpenAI that they were looking into the issue, and on November 25, 2025, they provided us with a copy of the data that had been taken.
What this means for affected users
Some user profile details linked to activity on platform.openai.com may have been part of the dataset extracted from Mixpanel’s systems. The type of information that could have been exposed includes:
The name listed on the API account
The email address connected to the API account
General location details inferred from a user’s browser (city, state, country)
The browser and operating system used to access the API dashboard
Websites that directed users to the API platform
Organization or user identification numbers tied to the API account
