ChatGPT Agent Classified by OpenAI as High Risk—Potentially Be Used
A security incident at OpenAI's vendor, Mixpanel, has led to the exposure of names and email addresses for some API account holders. Levart_Photographer/Unsplash

OpenAI has confirmed a data breach involving its third-party analytics tool, Mixpanel, that exposed names and email addresses for a portion of its API users. Because this sensitive information is vulnerable to phishing attacks, all affected users must take immediate steps to secure their accounts.

The security event stemmed from a compromise of Mixpanel's systems, not a failure within OpenAI's own infrastructure. This breach allowed an attacker to access and copy a data file containing a small amount of identifying information for certain OpenAI API customers.

Crucial Alert: OpenAI Confirms Mixpanel Data Exposure

Mixpanel initially noticed suspicious activity within a section of its systems. An intruder then managed to extract a file containing customer details alongside their usage data.

Mixpanel promptly alerted OpenAI, which was using the service exclusively for web tracking on the front end of its API product at platform.openai.com. The AI company, led by Sam Altman, stated in a blog post that the security issue had no impact on users of ChatGPT or any of its other offerings.

Crucially, this did not affect OpenAI's main infrastructure; information such as chat history, API requests, usage statistics, passwords, sign-in details, API keys, payment records, or official identification remains secure.

Mixpanel provided the compromised data to OpenAI on 25 November 2025, enabling OpenAI to begin its own review and contact affected individuals.

Details of Compromised Information

The data file retrieved from Mixpanel's system contained limited account details and platform-specific usage statistics for the openai.com interface.

The exposed information is limited to the following categories:

  • The name provided for the API account.
  • The email address connected to the API account.
  • Rough geographical position inferred from the user's web browser (including city, county, and country).
  • The operating system and browser employed when accessing the API account.
  • Websites that directed the user to the platform.
  • The unique identifiers (IDs) linked to the organisation or the user's API account.

OpenAI's Immediate Action

OpenAI responded swiftly to handle the data exposure. After completing the security assessment, the company promptly disconnected Mixpanel from its active production services. Mixpanel CEO Jen Taylor explained that the company identified a 'smishing' attack and immediately launched its emergency response procedures.

'We took comprehensive steps to contain and eradicate unauthorised access and secure impacted user accounts. We engaged external cybersecurity partners to remediate and respond to the incident,' the top executive confirmed in a blog post.

Despite these efforts, OpenAI confirmed it has stopped using Mixpanel. The focus now is on directly informing all affected groups, including organisations, administrators, and individual users, through email.

OpenAI stated that although no evidence of data misuse has been found, it is still actively monitoring for any signs of related malicious activity.

In addition, the company announced that it is undertaking broader, more thorough security checks across its entire network of suppliers and increasing security standards for all external partners.

Key Actionable Steps for API Users

The exposed details, which include your name, email address, and account metadata, could be used by criminals in phishing or social engineering attempts targeting you or your organisation.

OpenAI is urging all API users to stay alert for any suspicious communication. This involves treating any unexpected emails or messages with extreme care, particularly those that include links or attachments.

Users must always confirm that any message claiming to be from OpenAI actually originates from an official company domain. It is crucial to remember that OpenAI will never ask for sensitive information such as passwords, API keys, or verification codes via email, text, or chat.

Lastly, although no passwords were leaked in this event, activating Multi-Factor Authentication (MFA) is still essential for protecting accounts from unwanted access; organisations should implement MFA through their single sign-on system.

No Need to Reset

OpenAI is not advising users to change their passwords or generate new API keys since those elements were not compromised in the breach. If users have any further concerns, OpenAI encourages them to contact its support team.

Writer's pick