OpenAI is notifying API users about a recent security incident involving Mixpanel, a third-party analytics provider previously used to track web analytics for platform.openai.com. According to OpenAI, the incident was isolated to Mixpanel’s systems and did not involve unauthorized access to any OpenAI infrastructure.

The company emphasized that ChatGPT users and other OpenAI product users were not affected and that no chat content, prompts, API requests, API usage data, passwords, credentials, API keys, payment information, or government IDs were exposed.

OpenAI says it is disclosing the incident in the interest of transparency and is notifying all impacted organizations, administrators, and users.

On November 9, 2025, Mixpanel detected unauthorized access to part of its internal systems. An attacker exported a dataset containing limited customer-identifiable information and analytics data. Mixpanel informed OpenAI of the investigation and, on November 25, 2025, shared the impacted dataset with OpenAI for review.

OpenAI confirmed that the incident did not originate from vulnerabilities in its own systems.

OpenAI reports that only a narrow set of analytics metadata from platform.openai.com users may have been included in the exported dataset. That information may include:

No API content, usage logs, credentials, or sensitive personal identifiers were involved.

Following Mixpanel’s disclosure, OpenAI immediately:

OpenAI states it has found no evidence of impact beyond Mixpanel’s environment and continues to monitor for any signs of misuse. As a result of the incident, the company has terminated its use of Mixpanel and is increasing security requirements for all third-party vendors. OpenAI notes that it has also launched expanded reviews across its broader third-party ecosystem, reflecting an industry-wide shift toward stricter oversight of external services that support AI infrastructure.

OpenAI cautions that some of the accessed account metadata—such as names, email addresses, and OpenAI API user IDs—could be used in phishing or social engineering attempts. Users are advised to remain vigilant:

For any questions or concerns about the incident or its impact, OpenAI encourages users to reach out to its dedicated support team at [email protected].

Q: Why did OpenAI use Mixpanel?
A: Mixpanel provided third-party analytics services to help OpenAI understand usage behavior for platform.openai.com.

Q: Was this caused by an OpenAI vulnerability?
A: No. The incident was confined to Mixpanel’s systems.

Q: Was API content, prompts, or model outputs affected?
A: No. Chat content, prompts, responses, and API usage data were not impacted.

Q: Were ChatGPT accounts affected?
A: No. This issue affected only certain analytics data associated with platform.openai.com.

Q: Were passwords, API keys, or payment information exposed?
A: No. Passwords, API keys, payment information, government IDs, and other sensitive credentials were not compromised.

Q: Do users need to reset their password or rotate API keys?
A: No resets are required, since keys and credentials were not affected.

Q: How will I know if I was impacted?
A: OpenAI is directly notifying impacted users and organizations via email.

Q: Has OpenAI fully removed Mixpanel?
A: Yes. Mixpanel has been removed from all OpenAI products.

Q: Should I enable MFA on my account?
A: Yes. MFA is strongly recommended for additional security.

Q: Will OpenAI provide further updates?
A: Yes. OpenAI will update users if any new material information is identified.

Q: Who can I contact with questions?
A: OpenAI has set up a dedicated support channel: [email protected].

The Mixpanel incident highlights a growing reality in modern AI infrastructure: even when core systems remain secure, third-party vendors can introduce vulnerabilities of their own. In this case, the impact was limited — no chat content, API data, credentials, or payment information were exposed — but the event underscores how interconnected today’s AI products have become. A single downstream service can hold enough metadata for attackers to craft more convincing phishing attempts or map an organization’s use of AI tools.

For API users, this incident is a reminder that vendor-level security matters just as much as the protections around a frontier model or primary platform. While most individuals who only use ChatGPT will see no direct effect, the broader lesson is still relevant: as AI systems expand, trust depends on safeguarding the entire ecosystem, not only the core technology itself. Strong oversight of analytics services, integrations, and external partners is now essential to maintaining user confidence.

OpenAI’s decision to remove Mixpanel and raise security requirements across all vendors reflects this shift. As AI adoption increases across industries, the security posture of every supporting service — even those handling limited account metadata — plays a role in how safe, transparent, and resilient AI platforms can be.

As AI becomes embedded in everyday work, trust will depend not only on how advanced the models are, but on how well the entire ecosystem around them is protected.

Editor’s Note: This article was created by Alicia Shapiro, CMO of AiNews.com, with writing, image, and idea-generation support from ChatGPT, an AI assistant. However, the final perspective and editorial choices are solely Alicia Shapiro’s. Special thanks to ChatGPT for assistance with research and editorial support in crafting this article.