Mixpanel breach exposes names, emails of some OpenAI API users; here's what we know

OpenAI on Thursday said a security incident at third-party analytics provider Mixpanel led to the exposure of limited user information related to some developers of its API platform.

However, no OpenAI systems or sensitive data were compromised, it added.

The breach occurred within Mixpanel’s systems and did not affect users of ChatGPT or OpenAI’s other products, the company said in a statement.

OpenAI said Mixpanel informed it that an attacker had gained unauthorised access to part of its systems on November 9 and exported a dataset containing “limited customer identifiable information and analytics information”.

The affected dataset was shared with OpenAI on November 25.

According to OpenAI, the incident was not a breach of its own infrastructure, and no chats, API requests, usage data, passwords, credentials, API keys, payment details or government IDs were exposed.

The information potentially accessed included a user’s name and email address associated with their API account; coarse location data based on browser information (city, state, country); operating system and browser details; referring websites; and organisation or user IDs, it said.

OpenAI said it had removed Mixpanel from its production services after initiating a security investigation and is notifying affected organisations, administrators and users directly.

“We continue to monitor closely for any signs of misuse,” it added.

The company warned that the exposed information could be used in phishing or social-engineering attempts and urged users to verify emails claiming to be from OpenAI, avoid clicking on suspicious links and enable multi-factor authentication.

OpenAI said it is conducting expanded security reviews across its vendor ecosystem and raising security requirements for all partners. It has also terminated the use of Mixpanel following the incident.

Here are some FAQs based on OpenAI’s statement:

A security breach occurred in Mixpanel’s systems on November 9, 2025, allowing an attacker to export a dataset containing limited identifiable and analytics information of some OpenAI API users.

No. OpenAI said the incident was confined to Mixpanel’s environment and did not involve its own systems.

Some users of OpenAI’s API platform (platform.openai.com). OpenAI is notifying impacted users and organisation admins directly.

No. Users of ChatGPT and OpenAI’s other consumer products were not impacted.

Name and email linked to the API account, rough location (city/state/country), operating system and browser, referring websites, and user or organisation IDs.

No. OpenAI said no passwords, credentials, API keys, payment information or government IDs were exposed.

No. OpenAI confirmed no chat or API usage content was affected.

No resets are recommended, since these details were not impacted.

Mixpanel was OpenAI’s third-party web analytics provider for understanding product usage on its API platform.

No. OpenAI has removed Mixpanel from its production services following the incident.

Possible phishing or social-engineering attempts using names or email IDs. OpenAI advised users to verify sender domains, avoid unexpected links or attachments, and enable multi-factor authentication.