OpenAI has revealed that some of its API users had their details exposed due to a hack at Mixpanel, a third-party analytics company the company uses. The breach happened on 9 November 2025, and Mixpanel informed OpenAI soon after.
The leaked information includes names linked to API accounts, email addresses, user or organization IDs, approximate location, and technical details like browser and operating system. These details were collected to track API usage.
OpenAI confirmed that no sensitive information was exposed and this includes passwords, payment information, API keys, chat logs, or any data from ChatGPT users. Only customers using the paid OpenAI API platform may be affected. Users of ChatGPT or other OpenAI products are not impacted.
In response, OpenAI has stopped using Mixpanel for all production systems and is alerting affected users directly. The company is also reviewing its vendor security policies to prevent similar incidents in the future.
Experts warn that even limited data leaks like this could be used for phishing attacks, where attackers send fake emails to trick users. OpenAI recommends that users watch for suspicious messages and enable multi-factor authentication (MFA) on their accounts.
The incident highlights how third-party services can pose risks to user data, even when the main company’s systems remain secure. OpenAI says it is taking steps to strengthen its security audits and oversight of external partners.
