OpenAI is notifying API users about a security incident at Mixpanel, the analytics vendor previously used on the platform.openai.com interface. While no OpenAI systems were breached, limited analytics data tied to some API users was exposed.
What happened
On November 9, 2025, Mixpanel detected that an attacker had gained unauthorized access to part of its systems and exported a dataset containing limited customer-identifiable and analytics information. Mixpanel informed OpenAI that same day and provided the affected dataset on November 25, 2025.
The incident involved analytics data from Mixpanel, but not OpenAI’s systems. No chats, API requests, API keys, passwords, payment information, or government IDs were compromised.
The information potentially exposed included name and email associated with an OpenAI API account, including approximate coarse location based on browser metadata, operating system, and browser, referring websites, and organization or user IDs associated with the API account.
What was said
In OpenAI’s notice, the company stated, “This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.”
“As part of our security investigation, we removed Mixpanel from our production services… and continue to monitor closely for any signs of misuse.”
“We also hold our partners and vendors accountable for the highest bar for security and privacy… After reviewing this incident, OpenAI has terminated its use of Mixpanel.”
OpenAI also stated that impacted organizations, admins, and users are being notified directly.
In the know
Analytics platforms, like Mixpanel, are commonly used to measure product usage without accessing sensitive operational data. They typically collect metadata, like browser type, device, referral source, and identifiers, not the content of user activity.
While this data is lower risk than credentials or API keys, it can still elicit phishing or targeted social engineering if exposed. More specifically, attackers can use real names, email addresses, and organizational identifiers to write convincing fake messages.
Even though the Mixpanel analytics issue did not expose any PHI, the event shows HIPAA-covered entities that normal web tools can become a compliance risk.
A recent Nature publication titled ‘Practical and ready-to-use methodology to assess the re-identification risk in anonymized datasets’ explains that certain analytics configurations “could potentially collect more data than intended.” Even if, in this case, the settings were corrected before any regulated information was transmitted.
Ultimately, third-party scripts, trackers, and analytics pixels can behave in unpredictable ways unless they are governed, monitored, and validated against HIPAA’s minimum-necessary and vendor-management expectations.
Go deeper: Phishing actors use global brands to harvest user credentials
Why it matters
Although the Mixpanel incident did not compromise OpenAI systems or API keys, the exposure of account metadata increases the risk of phishing and impersonation attacks. API users should remain vigilant, verify messages claiming to be from OpenAI, and avoid sharing credentials or verification codes.
Organizations must review their vendor ecosystems and strengthen third-party risk management.
Learn more: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is analytics metadata?
Analytics metadata refers to background information collected about how users interact with a website or service. This may include the user’s browser type, device model, screen size, and general location. It helps organizations understand usage patterns but does not capture the actual content of user activity.
What is coarse location?
Coarse location is a broad, approximate geographic indicator, like a city, state, or country, derived from browser or IP data. It does not reveal precise coordinates or GPS-level tracking.
What is user-identifiable information?
User-identifiable information is data that can reasonably be linked to a specific person, such as a name, email address, or account ID. It does not need to include sensitive details like passwords or financial information to be considered identifying.
Read also: What are the 18 PHI identifiers?
