OpenAI reports Mixpanel major data breach exposing limited ChatGPT API users data

OpenAI has disclosed that a breach at third-party analytics provider Mixpanel exposed limited identifying information from some ChatGPT API customers. The incident was restricted to analytics data gathered by Mixpanel, and OpenAI confirmed that none of its systems or core user data were accessed. No ChatGPT end users or users of other OpenAI products were affected.

The exposed data may have included API account names, email addresses, browser and device metadata, referring sites, and organization or user IDs. No passwords, API keys, chats, usage data, payment details, or government IDs were involved. OpenAI noted that the breach stemmed from a smishing attack Mixpanel detected on November 8 and that it received confirmation of the affected dataset on November 25.

OpenAI has removed Mixpanel from production, opened its own investigation, and is notifying potentially affected users and organizations. Mixpanel secured impacted accounts, revoked sessions, reset credentials, and added new safeguards. Other Mixpanel customers, including CoinTracker, reported similar exposure involving device metadata and limited transaction data. OpenAI advises users to watch for phishing attempts, verify suspicious messages, use two factor authentication, and avoid sharing sensitive information.