On 9 November 2025, Mixpanel, a third-party analytics service used by OpenAI for tracking usage on its API platform, detected that an attacker had gained unauthorized access to a portion of its systems and exported a dataset containing customer-identifiable and analytics information.
On 25 November 2025 Mixpanel shared the affected dataset with OpenAI for review, and on 26 November 2025 OpenAI publicly disclosed the incident.
What Data Was Exposed
According to OpenAI, the exposed information was limited and related only to "analytics-level" account metadata for some API users.
Potentially exposed data included:
- Names provided on the API account
- Email addresses linked to the API account
- Approximate location inferred from browser metadata (city state or country)
- Operating system and browser used to access the account
- Referring websites (i.e. from where the user came before logging in)
- Organisation or user IDs associated with the API account
This data did not include passwords API keys payment information or chat content.
What Was Not Exposed
OpenAI confirmed that this incident did not involve any breach of its own infrastructure.
The following remained safe and were not exposed:
