OpenAI has confirmed a security breach involving its third-party analytics vendor, Mixpanel, which resulted in the exposure of customer data. The incident occurred within Mixpanel’s systems, affecting the data analytics provider used by OpenAI for the frontend interface of its API product (platform.openai.com).
Mixpanel detected unauthorized access to its systems on November 9, 2025. An attacker successfully exported a dataset containing customer-identifiable information and analytics data during the intrusion. OpenAI was notified of the investigation and received the specific dataset of affected users on November 25, 2025. OpenAI has explicitly stated that its own systems were not breached but has terminated its use of Mixpanel following this event.
According to the notification sent by OpenAI, the data compromised in the export pertains to user profile information associated with the OpenAI API platform. The exposed information includes:
-
Names provided on the API account
-
Email addresses associated with the API account
-
Approximate coarse location based on the user’s browser (city, state, country)
-
Operating system and browser information used to access the account
-
Referring websites
-
Organization or User IDs associated with the API account












