OpenAI has disclosed that some users of its API platform may have had their personal information exposed after attackers breached Mixpanel, a third-party web analytics vendor the company used for performance tracking. The breach, which occurred on 9 November 2025, resulted in unauthorised access to customer-linked metadata including usernames, email addresses, organisation or user IDs, browser details and approximate geographical location.
In a statement published Thursday, November 27, OpenAI said Mixpanel notified the company that it was investigating the breach, later sharing affected datasets on November 25. The AI firm emphasised that none of its internal systems were compromised during the incident, and added that the leak did not include chat logs, passwords, authentication tokens, API keys, payment information or identity documents. Front-end users of ChatGPT and other OpenAI consumer products were not affected.
OpenAI's API platform allows developers to integrate its AI models into products and applications through paid access, making the breach particularly significant for enterprise customers. Mixpanel, which OpenAI has now discontinued using, provided analytics to improve service performance and optimise API consumption.
