OpenAI has confirmed a data breach that exposed limited personal information of its API users after a security incident involving third party analytics provider Mixpanel. The company stressed that ChatGPT users and other OpenAI products were not affected.
According to OpenAI, the breach occurred when an attacker gained unauthorized access to Mixpanel’s systems and exported a dataset containing identifiable details of OpenAI’s API customers. Mixpanel discovered the attack on November 9, 2025, and later shared the affected dataset with OpenAI during its investigation on November 25.
The leaked information included users’ names, email addresses, approximate locations based on browser data (such as city, state, and country), organization or user IDs, device details like operating system and browser, and referring websites. No sensitive or financial information was compromised.
OpenAI emphasized that crucial data including API requests, chat logs, passwords, payment details, government IDs, and verification documents remained secure and untouched.
In response to the incident, OpenAI immediately stopped using Mixpanel’s analytics services and began reviewing all potentially impacted datasets. The company stated that none of its internal systems or platforms were breached.
To reinforce user trust, OpenAI announced stricter security audits across its vendor network and will now enforce stronger safety requirements for all third party partners.
