OpenAI is notifying some ChatGPT API customers that limited identifying information was exposed following a breach at its third‑party analytics provider Mixpanel. Mixpanel provides event analytics OpenAI uses to track user interactions on the API frontend, and OpenAI provided details in a press release.
Mixpanel reported that the attack resulted from a smishing (SMS phishing) campaign it detected on November 8 and affected a limited number of customers. OpenAI said it received details of the affected dataset on November 25 after being informed of Mixpanel’s ongoing investigation.
OpenAI said the exposed information may include names provided on API accounts, email addresses tied to API accounts, approximate coarse location based on the user’s browser (city, state, country), operating system and browser data, referring websites, and organization or user IDs associated with the API account. The company said no chats, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised.
As a precaution, OpenAI removed Mixpanel from its production services, began notifying organizations, administrators and individual users directly, and launched an investigation to determine the full scope of the incident.
Mixpanel’s CEO Jen Taylor said all impacted customers have been contacted. Mixpanel said it secured affected accounts, revoked active sessions and sign‑ins, rotated compromised credentials, blocked the threat actor’s IP addresses, reset employee passwords and implemented new controls to prevent similar incidents.
Some users reported that CoinTracker, a cryptocurrency portfolio tracker and tax platform, was also impacted, with exposed device metadata and limited transaction counts. Both companies warned the leaked data could be used in phishing or social‑engineering attacks and urged users to enable two‑factor authentication and not to send passwords, API keys or verification codes by email, text or chat.