It anything, it’s opposite of breach.
A social engineering attack that enables an attacker to gain unauthorized access to Mixpanel's systems and export a dataset containing names, user IDs, location data, and email addresses sounds exactly like a breach to me.
A breach is unauthorized disclosure, the mechanism through which it is achieved is not relevant to that classification.
An employee that walks out with a file would also be classified as a breach, even if no systems got compromised from the outside.
Read before you blindly comment
This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.
What happened On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.
What this means for you User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to: Name that was provided to us on the API account Email address associated with the API account Approximate coarse location based on API user browser (city, state, country) Operating system and browser used to access the API account Referring websites Organization or User IDs associated with the API account
> To assist us in meeting business operations needs and to perform certain services and functions, we may disclose Personal Data to vendors and service providers, including providers of ... web analytics services ...
OpenAI likely provides this disclosure to comply with US state privacy laws, but it's inaccurate to say they didn't disclose that they won't share your information
"As part of our security investigation, we removed Mixpanel from our production services"
"After reviewing this incident, OpenAI has terminated its use of Mixpanel."
> Has Mixpanel been removed from OpenAI products?
> Yes.
You do realize that you pay for Mixpanel right?
> We may also aggregate or de-identify Personal Data so that it no longer identifies you and use this information for the purposes described above, such as to analyze the way our Services are being used, to improve and add features to them, and to conduct research. We will maintain and use de-identified information in de-identified form and not attempt to reidentify the information, unless required by law.
The fact that Mixpanel has this data in non-de-identified form is suspect to me. Granted, my entire comment was clearly tongue-in-cheek. Although I think it's possible that OpenAI is selling this data to get a discount on Mixpanel usage, in reality I understand that the more likely explanation is that whoever was responsible for managing this data is completely and totally incompetent.
The way mixpanel works is that they tag users with a device ID, then once they become a customer, you back port your own customer ID to mix panel and they switch the device ID to your internal customer record so that you can see what your signed up users are doing, where they signed up from and generally track the user journey.
Considering they were aware of this on the 8th (who knows how long that was after it actually happened) it's a little disappointing that they'd wait until the day before such a major holiday to post about it. Unsurprising sure, but still disappointing.
https://www.theregister.com/2025/09/16/china_1hour_cyber_rep...
https://privacymatters.dlapiper.com/2025/09/china-new-strict...
> As a valued customer, we wanted to inform you about a recent security incident that affected a limited number of Mixpanel user accounts. We have proactively communicated with all impacted customers. If we did not previously contact you, your Mixpanel accounts were not impacted. We continue to prioritize security as a core tenant of our company, products and services. We are committed to supporting our customers and communicating transparently about this incident.
In the event you had closed your account a year ago they may have deleted your information from their systems. No way for you to be impacted, but also no way to tell you that, so the lack of the email is the message in that case.
Given what I know about data life cycle implementations there is a very good chance that that data was still there unless the GP explicitly requested it be deleted.
Companies tend to hang on to all kinds of data that they shouldn't have.
The fact that they received an email is a first indication that it wasn't deleted.
* What systems were accessed
* What information was potentially exposed
* Just how "proactively" they've been about this (no timeline)
* Numbers... The scale of any of it
---
Some comments from quoted portions of article
> Mixpanel detected a smishing campaign ...
Doesn't give any details on who the companion targeted, or how, or how widespread.
> We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts.
So there was definitely _some_ sort of unauthorized access, but doesn't say to which accounts or in what systems
> Performed global password resets for all Mixpanel employees
So... definitely sounds like they expected compromise of Mixpanel employee credentials
”Out of transparency and our desire to share with our community…” also reminds me when I get a refund that is prefixed with ”as a one-time gesture of goodwill…” instead of ”sorry, we made a mistake”.
I’m sorry IF you were offended… vs
I’m sorry I made offensive remarks. It hurt you and I am truly sorry.
Yes.What to know about a recent Mixpanel security incident Transparency is important to us...
They're so much transparent that they leaked PII to Mixpanel...
https://news.ycombinator.com/item?id=46071239
And it looks like many companies got affected because their data was stolen via gainsight. The hackers said they plan to ask the companies for ransoms.
> Smishing is a cyber-attack that targets individuals through SMS (Short Message Service) or text messages. The term is a combination of “SMS” and “phishing.”
Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel’s systems and involved limited analytics data related to your API account.
This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.
What happened On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.
What this means for you User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to: Name that was provided to us on the API account Email address associated with the API account Approximate coarse location based on API user browser (city, state, country) Operating system and browser used to access the API account Referring websites Organization or User IDs associated with the API account Our response As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope. We are in the process of notifying impacted organizations, admins, and users directly. While we have found no evidence of any effect on systems or data outside Mixpanel’s environment, we continue to monitor closely for any signs of misuse.
Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.
Beyond Mixpanel, we are conducting additional and expanded security reviews across our vendor ecosystem and are elevating security requirements for all partners and vendors.
What you should keep in mind The information that may have been affected here could be used as part of phishing or social engineering attacks against you or your organization.
Since names, email addresses, and OpenAI API metadata (e.g., user IDs) were included, we encourage you to remain vigilant for credible-looking phishing attempts or spam. As a reminder: Treat unexpected emails or messages with caution, especially if they include links or attachments. Double-check that any message claiming to be from OpenAI is sent from an official OpenAI domain. OpenAI does not request passwords, API keys, or verification codes through email, text, or chat. Further protect your account by enabling multi-factor authentication. The security and privacy of our products are paramount, and we remain resolute in protecting your information and communicating transparently when issues arise. Thank you for your continued trust in us.
For more information about this incident and what it means for impacted users, please see our blog post here.
Please contact your account team or mixpanelincident@openai.com if you have any questions or need our support.
OpenAI
The pattern keeps repeating: Trust vendor → Vendor gets breached → Your users' data exposed. And the cascading effect here is notable - Mixpanel breach → OpenAI API users exposed → Those users likely reused credentials elsewhere.
For sensitive operations, the takeaway is clear: minimize what you share with third parties. If your credentials never leave your machine in the first place, they can't be exfiltrated from a vendor breach.
The old model of "trust but verify" feels increasingly outdated. The new model probably needs to be "verify or don't share."
So they don’t know yet how bad this is.
Mixpanel certainly has more info than OpenAI, yet has determined to share far less with the public. This reflects very poorly on them as a company.
> Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.
The OpenAI disclosure is a better summary of what happened than Mixpanel is stating directly.
Looks like OpenAI has fired Mixpanel as a product over this issue:
“We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.”
That’s a pretty damning statement about a vendor that you don’t see written often publicly like that.
No reason to send your data to other companies.
kevcampb•2mo ago
willsmith72•2mo ago
red_Seashell_32•2mo ago
jacquesm•2mo ago
Every time a google tag is included on a page a ton of sensitive data gets sent to another party than the one whose website you are visiting.
Whether it was wise or not for OpenAI to share this information with Mixpanel is another thing, personally I think they should not have but OpenAI in turn is also used by lots of companies and given their private data and so on.
This layercake of trust only needs on party to mess up for a breach to become reality. What I'm interested in is whether or not it was just OpenAI's data that was lifted or also other Mixpanel customers.
beAbU•2mo ago
codedokode•2mo ago
macNchz•2mo ago
Also probably people on the product marketing team want to have identifying info in their dashboards of top users and churn risks and whatever, and someone has to be the one to tell them no.
cyberax•2mo ago
And it's easy to let things like names and emails slip through.
bflesch•2mo ago
jacquesm•2mo ago
spacebanana7•2mo ago
jacquesm•2mo ago
neom•2mo ago
aberoham•2mo ago
EdwardDiego•2mo ago
The article you're reading states...
"We took comprehensive steps to _contain_ and eradicate unauthorized access"
That's a breach my friend.
kevcampb•2mo ago
If someone phishes your gmail account, there is no gmail breach.
9dev•2mo ago
I really don't understand the point in downplaying this shitshow.
cobertos•2mo ago
It's just a very weazel-worded disclosure. Most definitely a breach.