← Back to Blog
Security • OpenAI • Data Breach
November 27th, 2025

OpenAI Wasn't Hacked, But Your Data Got Out Anyway

A third party analytics breach at Mixpanel exposed API developer information. Here's what happened and what it means for you.

OpenAI is sending out emails this morning that are making developers do a double-take over their coffee. The subject line? A security incident. The reality? Their third-party analytics vendor, Mixpanel, got breached, and now API developer data is floating around somewhere it shouldn't be.

What Actually Happened

On November 9th, 2025, an attacker gained unauthorized access to Mixpanel's systems. Mixpanel is a web analytics platform OpenAI used to monitor analytics for developers using their API. OpenAI had been using it specifically for the frontend interface where developers who build sites and tools using OpenAI can monitor their usage and manage their accounts.

The attacker exported a dataset containing customer-identifiable information and analytics data. Mixpanel notified OpenAI that same day, but it wasn't until November 25th that Mixpanel provided the actual affected dataset so OpenAI could assess the damage.

Now, on November 26th and 27th, affected users are waking up to emails from OpenAI's security team.

What Was Exposed

If you're an API developer on OpenAI's platform, your name, email address, approximate location, OS and browser may be leaked. Additionally, organization and user IDs and the link you clicked to get to the site may also be leaked.

What Wasn't Exposed

OpenAI insists that everything else is safe. Specifically, they mentioned your API keys and credentials are safe along with your passwords. Your payment details and government ID are safe. Your API usage data and request logs are safe. No chat content, prompts, or API responses were leaked.

ChatGPT users? You're not affected. This breach was limited to the API platform interface.

OpenAI wants people to know they weren't hacked, a company they use was hacked. They do not want users worried about the safety of their infrastructure due to this incident that happened on Mixpanel.

Why This Actually Matters

OpenAI's own warning email acknowledges the real risk: "The information that may have been affected here could be used as part of phishing or social engineering attacks against you or your organization."

Think about what an attacker now knows: which developers are using OpenAI's API, their email addresses, roughly where they're located, and what devices they use. That's a clean targeting list for spear-phishing campaigns.

"Hey [Name], we noticed some unusual API activity from your account in [City]. Please verify your credentials at this link..."

You can see how this plays out.

OpenAI's Response

OpenAI has taken several steps:

  1. Terminated Mixpanel: The analytics provider has been removed from all production services. The relationship is over.
  2. Vendor security review: OpenAI says it's conducting extensive reviews across its entire vendor ecosystem and implementing stricter security requirements for third-party partners.
  3. Direct notification: Affected organizations, admins, and individual users are being contacted via email.
  4. Monitoring: OpenAI says it hasn't found evidence of data misuse but is continuing to monitor for malicious activity.

Notably, OpenAI is not recommending password resets or API key rotations because those weren't compromised. Whether that's reassuring or concerning depends on your perspective.

What You Should Do

If you got the email, here's the practical advice:

  • Watch for phishing: Be extra skeptical of any emails claiming to be from OpenAI, especially those asking for credentials or containing urgent calls to action. Verify sender domains carefully.
  • Enable MFA: If you haven't already, turn on multi-factor authentication for your OpenAI account.
  • Review your account: Check for any unusual activity. If something looks off, contact privacy@openai.com.
  • Warn your team: If you're part of an organization using OpenAI's API, make sure your colleagues know about this. Social engineering attacks often succeed because people aren't expecting them.

A Note for Dreami Users

Dreami is safe from this leak as it doesn't use OpenAI, however Serene does. None of your messages were leaked as OpenAI made clear in their messaging.