Sign in Subscribe

OpenAI Reports Data Leak of API Users

OpenAI Reports Data Leak of API Users

OpenAI reported a compromise of the third-party analytics service Mixpanel, which was used to track user actions in the frontend part of the product running on the OpenAI API. The attack led to a data leak affecting a portion of customers.

Per an official statement from OpenAI, the incident only affected API user data. Regular users of ChatGPT and other company services were not impacted.

"This was not a breach of OpenAI's systems. No chats, API requests, API usage data, passwords, access keys, payment details, or identity documents were compromised," the company stated.

Mixpanel representatives confirmed that the attack affected a limited number of clients, who have been notified of the incident.

Attack Details and Timeline

While no technical details about the hack are disclosed, the breach resulted from an SMS phishing (smishing) campaign discovered on November 9, 2025. OpenAI reported the compromise and the investigation only on November 25, also providing details about the compromised data.

The leak may have involved the following information:

  • The name associated with the API account
  • The email address linked to the API account
  • Approximate location based on browser data (city, region, country)
  • The operating system and browser used to access the API
  • Referring websites
  • The organization or user ID tied to the API account

Response and Remediation

Following the attack, Mixpanel secured the affected accounts, revoked active sessions and logins, reset compromised credentials, blocked the attackers' IP addresses, and reset passwords for all employees. The company stated it has implemented additional security measures to prevent similar incidents.

Since sensitive credentials were not exposed, OpenAI users do not need to reset their passwords or regenerate API keys.

OpenAI is investigating the incident to determine the full scope of what happened. As a precautionary measure, Mixpanel has been completely removed from all of the company's services.

Security Recommendations

Although OpenAI stated that only API customers were affected, the company sent incident notifications to all subscribers. Since the stolen data could be used for phishing and social engineering, the company urged users to remain vigilant.

OpenAI representatives also recommended using two-factor authentication (2FA) and reminded users not to send passwords, API keys, or verification codes via email, SMS, or chats.

Impact on Other Services

The Mixpanel hack also affected CoinTracker, a platform for tracking cryptocurrency portfolios and taxes. CoinTracker representatives warned that in their case, the leak also involved device metadata and affected a limited number of transactions.