OpenAI has sent an email to users about a recent security incident involving Mixpanel, a third-party analytics service it used for tracking web activity on the API dashboard. The company says this incident did not affect any OpenAI systems directly, but some user-identifiable analytics data may have been accessed after an attacker breached Mixpanel’s systems earlier this month.
According to OpenAI, the issue occurred on November 9, 2025, when Mixpanel detected unauthorized access and found that an attacker had exported a dataset containing limited customer information. Mixpanel later shared the affected data with OpenAI on November 25.
The leaked dataset included only analytics-related metadata tied to API dashboard usage. As per the email, the potentially exposed information includes:
- User name provided in the API account
- Email address associated with the API account
- Approximate coarse location (city, state, country)
- Operating system and browser used
- Referring websites
- Organization or User IDs
OpenAI stresses that no chat data, API requests, passwords, API keys, payment information, or government IDs were involved.
OpenAI says it immediately removed Mixpanel from production, reviewed the datasets, and started notifying impacted individuals. The company has also terminated its use of Mixpanel permanently and is expanding security reviews across all vendor partnerships.
OpenAI claims that there is no sign that the data has been misused yet, but the company is monitoring the situation.
Even though the leaked data is not highly sensitive, it can still be used for phishing or social-engineering attacks. Emails and metadata like user IDs can help attackers craft convincing fake messages pretending to be OpenAI. OpenAI has warned users to be careful of suspicious emails and enable multi-factor authentication.
This incident again shows a clear pattern in the tech industry. Most data leaks are now happening because of third-party services, not because a company’s own systems are weak. OpenAI was not breached, but Mixpanel became the risk point. We saw the same thing recently with Google’s breach that was linked to a third-party contractor, and Salesforce also reported an incident that started because of an outside vendor. These cases make one thing very clear: even the biggest companies are only as secure as the partners they trust.
Even “limited” data can create problems. An email, a user ID, or even location data is enough for targeted phishing. Attackers do not always need passwords to cause damage. That is why incidents like this worry users even if the companies call the exposure small.
I also think it is interesting that OpenAI decided to fully drop Mixpanel. That suggests either dissatisfaction with Mixpanel’s handling of the issue or a broader effort by OpenAI to reduce external dependencies as their products become more widely used.
OpenAI recommends being cautious with unexpected emails, checking sender domains, and enabling multi-factor authentication. These are good steps, but users will still worry whenever their information goes through external analytics platforms.
