Names, emails, and location details of OpenAI API users were compromised in a recent breach at analytics vendor Mixpanel. This has led OpenAI to immediately cut the partnership.
OpenAI has publicly addressed a serious security incident involving its analytics vendor, Mixpanel. This has resulted in the unauthorized export of limited user data belonging to those utilizing the API platform.
The breach first came to light on November 9, 2025, when Mixpanel detected that an unauthorized attacker had accessed part of their internal systems and copied a dataset containing customer information and analytics. Mixpanel initiated an investigation and later shared the affected data with OpenAI on November 25, 2025.
OpenAI was quick to define the scope, emphasizing that the breach was not a failure of its own security infrastructure.
"The incident occurred within Mixpanel’s systems and involved limited analytics data related to some users of the API. Users of ChatGPT and other products were not impacted."
Crucially, the most sensitive data remains secure. The company stressed:
"This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed."
What Information Went Missing in Mixpanel Data Breach?
The data exposed was specific to user profiles and platform analytics collected by the third-party provider. The information that may have been included in the exported files was limited to:
- The name and email address associated with the API account.
- Approximate coarse location data (city, state, country).
- The operating system and browser used to access the API account.
- Referring to websites and the Organization or User IDs tied to the account.
While API keys and login credentials were untouched, the company is now directly notifying all impacted organizations and individual users. They strongly advise customers to be vigilant for credible-looking phishing or social engineering attempts that may use the exposed personal information.
Also, OpenAI immediately took action, removing Mixpanel from its production services. After a thorough review of the incident and the security lapses, OpenAI made the decision to terminate its relationship with the vendor entirely.
This incident has prompted a necessary and wider re-evaluation of how the company partners with third-party providers. OpenAI stated:
"Beyond Mixpanel, we are conducting additional and expanded security reviews across our vendor ecosystem and are elevating security requirements for all partners and vendors."
By severing ties with the compromised vendor, OpenAI sends a clear message that it will hold its partners accountable to the highest standards in the digital security landscape.
