In short
- Mixpanel said an attacker gained access to part of its systems and exported customer-identifiable metadata.
- OpenAI said no prompts, API keys, payment information, or authentication tokens were involved.
- Both companies reviewed the incident, notified affected users and outlined new security steps.
A breach at analytics provider Mixpanel earlier this month exposed account names, email addresses and browser locations for some users of OpenAI’s API, the AI giant confirmed Wednesday, raising concerns that cybercriminals could use the stolen metadata in targeted phishing attempts.
According to Mixpanel, on November 8, an unknown attacker gained access to part of its systems and exported a dataset containing customer-identifiable metadata and analytics information. The stolen data includes usernames, email addresses, approximate browser-based location, operating system and browser data.
OpenAI said the breach did not include user credentials, API keys, payment information or authentication tokens.
Only data from users who accessed OpenAI’s technology through the API – i.e. through third-party apps powered by GPT – was leaked, the company said. In other words, if you access the ChatGPT chatbot directly from OpenAI’s website, you won’t have any problems.
“As part of our security investigation, we have removed Mixpanel from our production services, reviewed the affected datasets and worked closely with Mixpanel and other partners to fully understand the incident and its scope,” OpenAI said in a statement.
Founded in 2009, San Francisco-based Mixpanel is a product analytics platform used to track user behavior across the web and mobile applications. The company said it discovered the “smishing” campaign and, after an initial investigation and response, alerted OpenAI the next day.
“We are committed to transparency and are notifying all affected customers and users,” OpenAI said. “We also hold our partners and suppliers accountable to the highest standards for the security and privacy of their services.”
Smishing is a form of phishing attack carried out via text messages. According to an October report from infrastructure management company Spacelift, smishing was responsible for 39% of all mobile threats by 2024.
Mixpanel said it secured affected accounts, revoked active sessions, rotated compromised credentials and blocked malicious IP addresses. The company also reset employee passwords, hired third-party cybersecurity firms and reviewed authentication, session and export logs.
Following the breach, Mixpanel said it began notifying affected customers about the incident.
“If you didn’t hear from us directly, you didn’t experience any consequences,” Mixpanel CEO Jen Taylor said in a statement. “We continue to prioritize security as a core tenet of our business, products and services. We are committed to supporting our customers and communicating transparently about this incident.”
Despite Mixpanel reporting the incident to OpenAI, the ChatGPT developer said he was cutting ties with the analytics company. “After reviewing this incident, OpenAI has terminated use of Mixpanel,” they wrote.
Some OpenAI customers took to social media to express frustration over the revelation that a third-party service had access to their information.
“I’m not very happy about this. […] Why did they have to give my name and email address to Mixpanel?” wrote one user on X. “I’m just a hobbyist trying to do little experiments.”
“OpenAI sending names and emails to a third-party analytics platform (Mixpanel) feels wildly irresponsible,” wrote another.
OpenAI and Mixpanel did not immediately respond to requests for comment from Declutter.
Generally intelligent Newsletter
A weekly AI journey narrated by Gen, a generative AI model.
