Mixpanel data breach exposes OpenAI API user names, emails and IDs: here's what we know

OpenAI on Thursday said that it has stopped the use of analytics platform Mixpanel after a security incident at the vendor led to user information being leaked for the company's API accounts. The San Francisco based AI startup also noted that users of ChatGPT and other products were not impacted due to the leak.

The company says that it used Mixpanel to help it understand product usage and improve its services for its API

“As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope.We are in the process of notifying impacted organizations, admins, and users directly.” OpenAI said in a blogpost

“While we have found no evidence of any effect on systems or data outside Mixpanel’s environment, we continue to monitor closely for any signs of misuse” the ChatGPT maker added

What data was compromised in data breach?

OpenAI says the following data may have been compromised due to the recent data breach.

• Name that was provided to us on the API account
• Email address associated with the API account
• Approximate coarse location based on API user browser (city, state, country)
• Operating system and browser used to access the API account
• Referring websites
• Organization or User IDs associated with the API account

The company also says that user profile information associated with the use of platform.openai.com could also be part of the data exported from Mixpanel.

The AI startup says that no chat content, prompts, responses or API usage data was impacted during the breach. It also noted that OpenAI passwords, API keys, payment information, government IDs and account access credentials were not impacted.

OpenAI says it is in the process of notifying the impacted users and organisations about the breach via email. The ChatGPT maker says it is also conducting additional and expanded security reviews across its vendor ecosystem and is elevating security requirements for all partners and vendors.

What if you are affected by the data breach?

“The information that may have been affected here could be used as part of phishing or social engineering attacks against you or your organization.” OpenAI warned in its blogpost

The company says that given that names, email addresses and OpenAI API metadata were affected by the breach, users should remain vigilant for credible looking phishing attempts or spam.

It shared the following security advice for API users:

• Treat unexpected emails or messages with caution, especially if they include links or attachments.
• Double-check that any message claiming to be from OpenAI is sent from an official OpenAI domain.
• OpenAI does not request passwords, API keys, or verification codes through email, text, or chat.
• Further protect your account by enabling multi-factor authentication⁠(opens in a new window).