After announcing the update of GPT-5.1, then the group feature, OpenAI, the publisher of ChatGPT, has just made another announcement: it has indeed informed its clients by email of a security incident at its analytical provider Mixpanel. Although the impacts seem limited according to OpenAI’s communication, this situation raises the question of data protection in the context of AI tools once again. Here are the essential elements to understand the scope of the event and the measures taken.
About the Mixpanel incident and the data concerned
OpenAI indicated that a malicious actor had gained unauthorized access to part of Mixpanel’s systems on November 9, 2025. This access allowed the export of a limited set of information related to API accounts using the web interface platform.openai.com. According to the information provided, no sensitive data related to exchanges, API requests, passwords, government IDs, or payment methods was exposed.
The potentially concerned elements are limited to profile data and information related to the technical browsing environment: name declared on the API account, email address, approximate location based on the browser (city, state, country), operating system, browser, referring sites, and organization or user IDs associated with the account.
OpenAI’s response and security measures taken
Upon receiving the alert from Mixpanel, OpenAI immediately removed this provider from its production services. The company then conducted a detailed review of the affected datasets and engaged in close collaboration with Mixpanel and other partners to understand the extent of the incident. Affected organizations, administrators, and users are being individually notified.
OpenAI claims to have no indication that the incident affected its own systems. However, the company is strengthening its controls across its entire supplier ecosystem and applying heightened security requirements. It has also permanently terminated the use of Mixpanel.
Phishing risks and precautions to take
The exposed information, such as the name, email address, or user metadata, can be exploited in phishing or social engineering attempts. OpenAI encourages all affected users to be vigilant against messages that may mimic official communications.
Recommendations include carefully examining unexpected messages, verifying the exact origin of received emails, not transmitting passwords, API keys, or verification codes, and enabling multi-factor authentication to enhance account protection.
OpenAI’s transparency and commitment
OpenAI reminds that security, privacy, and trust remain at the core of its mission. The company is committed to clearly informing its users when an incident occurs and maintaining high standards with all its technology providers.
For any additional questions or requests for assistance, users can contact their dedicated team or the address provided by OpenAI (mixpanelincident [AT] openai.com). A detailed blog post is also available to delve deeper into the subject.
Source: https://openai.com/index/mixpanel-incident/