Subject: Third-party security incident
From: OpenAI <noreply@email.openai.com>
Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel’s systems and involved limited analytics data related to your API account.
This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.
What happened
On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.
What this means for you
User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to:
* Name that was provided to us on the API account
* Email address associated with the API account
* Approximate coarse location based on API user browser (city, state, country)
* Operating system and browser used to access the API account
* Referring websites
* Organization or User IDs associated with the API account
Our response
As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope. We are in the process of notifying impacted organizations, admins, and users directly. While we have found no evidence of any effect on systems or data outside Mixpanel’s environment, we continue to monitor closely for any signs of misuse.
Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.
Beyond Mixpanel, we are conducting additional and expanded security reviews across our vendor ecosystem and are elevating security requirements for all partners and vendors.
What you should keep in mind
The information that may have been affected here could be used as part of phishing or social engineering attacks against you or your organization.
Since names, email addresses, and OpenAI API metadata (e.g., user IDs) were included, we encourage you to remain vigilant for credible-looking phishing attempts or spam. As a reminder:
* Treat unexpected emails or messages with caution, especially if they include links or attachments.
* Double-check that any message claiming to be from OpenAI is sent from an official OpenAI domain.
* OpenAI does not request passwords, API keys, or verification codes through email, text, or chat.
* Further protect your account by enabling multi-factor authentication.
The security and privacy of our products are paramount, and we remain resolute in protecting your information and communicating transparently when issues arise. Thank you for your continued trust in us.
For more information about this incident and what it means for impacted users, please see our blog post here. [ https://openai.com/index/mixpanel-incident/ ]
Please contact your account team or mixpanelincident@openai.com if you have any questions or need our support.
OpenAI
vintagedave•2mo ago
While I'm sure my name, email and location are out there already, I am also disappointed to see leaks of (what I view as) PII.