OpenAI reports data theft at web analytics service provider Mixpanel

OpenAI is reporting a data theft at the web analytics service provider Mixpanel. Mixpanel has been investigating the use of services and APIs at the AI company. Some data collected during this process may now have fallen into the wrong hands.

An announcement on the OpenAI website discusses the IT incident. According to the announcement, there was a breach into Mixpanel's systems, resulting in the loss of "limited analytics data for web analytics of some OpenAI API users (platform.openai.com)". "Users of ChatGPT and other products are not affected," OpenAI explains. However, the company does not mention that an API key is required to use the OpenAI AI in other software, such as "Extended Insert" in Windows Powertoys. The affected user group is therefore comparatively large (and possibly unexpected); many users have generated API keys.

The AI company emphasizes that no OpenAI systems were breached. "No chats, API requests, API usage data, passwords, access credentials, API keys, payment details, or regulatory IDs were compromised or exposed," OpenAI assures.

Mixpanel Breach

On November 9, 2025, Mixpanel noticed unauthorized access by attackers to parts of its systems. The perpetrator(s) then exfiltrated limited customer data and analysis information. Mixpanel informed OpenAI about the incident and the investigations and also sent the affected dataset to the company on Tuesday, November 25, 2025.

According to the report, information from user profiles of API users may have ended up in the unauthorized data export. Furthermore, the names, email addresses, approximate geographical location of the users (city, state, country), operating system and browser used to access the API, website referrers, and finally organizational or user IDs associated with the API account may be affected.

In response to the IT incident, OpenAI removed Mixpanel from its production systems and is investigating the affected datasets. Investigations with Mixpanel are ongoing to determine the full extent of the breach. OpenAI intends to contact affected users, admins, and organizations directly. Even though there are no indications that data or systems outside the Mixpanel environment are impacted, OpenAI will be closely monitoring for signs of misuse. The company is also conducting additional and enhanced security investigations across the entire provider ecosystem and is raising security requirements for all partners and providers – without specifying what this exactly means.

SMS as an Entry Point

Mixpanel itself explains in a blog post states that the company discovered a "Smishing" campaign on November 8, 2025. In this campaign, employees receive SMS messages that are intended to trick them into revealing their login credentials. This immediately triggered the incident response process – Mixpanel Limited and eventually stopped the unauthorized access and secured the affected user accounts. The company also involved external cybersecurity partners to respond to the IT incident.

Mixpanel has informed impacted customers about the incident. Those who have not heard directly from Mixpanel are not impacted. The list of customers includes other well-known companies besides OpenAI, such as Joyn, LG, Pinterest, Workday, and Yelp. It is possible that other companies will report an IT incident in this regard shortly.

(dmk)