OpenAI has ended its use of analytics provider Mixpanel after a security incident in which API user data was exported. The incident took place within Mixpanel’s systems and did not affect ChatGPT users.
On November 9, Mixpanel discovered that an attacker had gained unauthorized access to parts of its systems. The attacker exported a dataset containing limited customer identification data and analytics data. Mixpanel informed OpenAI about the investigation and shared the affected dataset on November 25.
The data breach occurred in Mixpanel’s systems, which OpenAI used for web analytics on the API platform platform.openai.com. OpenAI’s own systems were not affected. Chat conversations, API calls, API usage data, passwords, credentials, API keys, payment details, and government identification documents were not compromised or exposed.
Leaked user data
The exported Mixpanel data included user profile information linked to use of platform.openai.com. This includes names provided to the API account, email addresses associated with the API account, estimated location based on API users’ browsers (city, state, country), operating system and browser used to access the API account, referring websites, and organization or user IDs associated with the API account.
OpenAI has removed Mixpanel from its production services and is reviewing the affected datasets. The company is working closely with Mixpanel and other partners to understand the incident. OpenAI is notifying affected organizations, administrators, and users directly. After reviewing the incident, OpenAI has terminated its use of Mixpanel.
Risk of phishing
The leaked information could be used for phishing or social engineering attacks. OpenAI warns users to remain vigilant for credible-looking phishing attempts or spam. Users should treat unexpected emails or messages with links or attachments with caution and verify that any message claiming to be from OpenAI is actually from an official OpenAI domain.
OpenAI is conducting additional, comprehensive security assessments across its vendor ecosystem and is increasing security requirements for all partners and vendors. The company continues to monitor for signs of abuse outside of the Mixpanel environment.