OpenAI says partner breach exposed API user data
OpenAI notified customers that a third‑party analytics provider, Mixpanel, was breached in November, exposing names, emails, Organization IDs, coarse location and browser metadata tied to OpenAI API accounts. OpenAI said its own systems were not compromised and no chat histories, passwords, billing data or API keys were exposed; it cut off Mixpanel access after learning of the incident on Nov. 25 and warned the leaked metadata could fuel targeted phishing.
📌 Key Facts
- Mixpanel detected a smishing attack Nov. 8; attackers accessed internal systems Nov. 9 and exported OpenAI‑related data
- Mixpanel informed OpenAI on Nov. 25; OpenAI says it severed Mixpanel access the next day and notified customers
- Exposed fields: names, email addresses, Organization IDs, coarse location, and technical browser metadata; sensitive items (chat logs, API keys, passwords, billing) were not included
📊 Relevant Data
According to the 2025 Data Breach Investigations Report, third-party involvement was found in 30% of all analyzed data breaches, up from 15% the previous year.
2025 Data Breach Investigations Report — Verizon
The global average cost of a data breach involving third-party vendor and supply chain compromise is $4.91 million in 2025.
In a 2025 survey, Black, Hispanic, and Asian adults were more likely than White adults to report having lost money to online scams, with 21% of all U.S. adults reporting such losses; U.S. population demographics in 2025 are approximately 58% White, 19% Hispanic, 13% Black, and 6% Asian.
Online Scams and Attacks in America Today — Pew Research Center
People over the age of 60 suffered the most losses from internet crimes, totaling nearly $5 billion in 2024, according to the FBI's 2024 Internet Crime Report.