OpenAI is notifying some ChatGPT API clients that restricted figuring out info was uncovered following a breach at its third-party analytics supplier Mixpanel.
Mixpanel presents occasion analytics that OpenAI makes use of to trace person interactions on the frontend interface for the API product.
In line with the AI firm, the cyber incident affected “restricted analytics information associated to some customers of the API” and didn’t impression customers of ChatGPT or different merchandise.
“This was not a breach of OpenAI’s techniques. No chat, API requests, API utilization information, passwords, credentials, API keys, fee particulars, or authorities IDs had been compromised or uncovered,” OpenAI says in a press launch.
Mixpanel reported that the assault “impacted a restricted variety of our clients” and resulted from a smishing (SMS phishing) marketing campaign that the corporate detected on November 8.
OpenAI acquired particulars of the affected dataset on November 25 after being knowledgeable of Mixpanel’s ongoing investigation.
The AI firm notes that the uncovered info might embody:
- Title that was supplied to us on the API account
- Electronic mail handle related to the API account
- Approximate coarse location primarily based on API person browser (metropolis, state, nation)
- Working system and browser used to entry the API account
- Referring web sites
- Group or Person IDs related to the API account
As a result of no delicate credentials had been uncovered, customers don’t have to reset passwords or regenerate API keys.
Some customers are reporting that CoinTracker, a cryptocurrency portfolio tracker and tax platform, has additionally been impacted, with uncovered information additionally together with system metadata and restricted transaction depend.
OpenAI has began an investigation to find out the complete scope of the incident. As a precaution, it has eliminated Mixpanel from its manufacturing companies and is notifying organizations, directors, and particular person customers straight.
Whereas OpenAI underlines that solely customers of its API are impacted, it notified all its subscribers.
The corporate warns that the leaked information might be leveraged in phishing or social-engineering assaults and advises customers to look at for credible-looking malicious messages associated to the incident.
Messages containing hyperlinks or attachments needs to be verified to make sure they originate from an official OpenAI area.
The corporate additionally urges customers to allow 2FA and by no means ship delicate info, together with passwords, API keys, or verification codes, by way of e-mail, textual content, or chat.
Mixpanel’s CEO, Jen Taylor, stated that each one impacted clients have been contacted straight. “You probably have not heard from us, you weren’t impacted,” she famous.
In response to the assault, Mixpanel secured affected accounts, revoked lively classes and sign-ins, rotated compromised credentials, blocked the risk actor’s IP addresses, and reset passwords for all staff. The corporate has additionally applied new controls to stop related incidents sooner or later.
It is funds season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the 12 months forward. This report compiles their insights, permitting readers to benchmark methods, determine rising tendencies, and evaluate their priorities as they head into 2026.
Find out how high leaders are turning funding into measurable impression.
