Ddos 
In a significant reminder of the risks inherent to the digital supply chain, artificial intelligence giant OpenAI has confirmed that user data associated with its API platform has been exposed. The exposure stems not from a compromise of OpenAI’s own infrastructure, but from a security incident at Mixpanel, a third-party data analytics provider used to track web traffic on the API frontend.
According to the disclosure, the incident was discovered by Mixpanel on November 9, 2025, when they detected an attacker gaining unauthorized access to a portion of their systems. The attacker managed to export a dataset containing customer identifiable information and analytics data.
OpenAI was alerted to the ongoing investigation, and on November 25, 2025, they received the specific dataset to assess the impact.
OpenAI was quick to clarify the boundaries of the incident, stating: “This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.”
Furthermore, the company confirmed that the incident is strictly isolated to users of the API product (platform.openai.com) and that “Users of ChatGPT and other products were not impacted.”
While the “crown jewels”—such as model weights, chat histories, and payment info—remain secure, the leaked data provides ample fuel for targeted threat campaigns. The exposed dataset includes metadata and profile information such as:
- Names and email addresses associated with API accounts.
- Approximate coarse location data (City, State, Country).
- Operating system and browser details.
- Referring websites.
- Organization and User IDs.
The advisory notes: “User profile information associated with the use of platform.openai.com may have been included in data exported from Mixpanel.”
Upon reviewing the incident and the security posture of their vendor, OpenAI made the immediate decision to cease their relationship with the analytics firm.
“Trust, security, and privacy are foundational to our products, our organization, and our mission,” the report states. “After reviewing this incident, OpenAI has terminated its use of Mixpanel.”
Beyond this specific termination, OpenAI is launching expanded security reviews across its entire vendor ecosystem to elevate security requirements and prevent similar downstream compromises in the future.
Security experts warn that while no direct access credentials were stolen, the data is far from harmless. The combination of names, emails, and specific knowledge that a user is an OpenAI API developer creates a perfect storm for spear-phishing attacks.
The report explicitly warns users: “The information that may have been affected here could be used as part of phishing or social engineering attacks against you or your organization.”
Threat actors could utilize the exposed User IDs or Organization IDs to craft highly credible fake support emails, attempting to trick developers into revealing the very API keys and passwords that remained safe during the initial breach.
OpenAI is currently in the process of notifying all impacted organizations and admins directly. Users are urged to exercise extreme caution regarding any communications claiming to be from OpenAI, especially those requesting credentials or containing urgent calls to action.
As a standard defense posture, users should ensure multi-factor authentication (MFA) is enabled on their accounts. While no passwords were lost, MFA provides a critical safety net against the inevitable wave of social engineering attempts likely to follow this exposure.
Donate