OpenAI Confirms Data Breach Incident - Find Out if You Are Affected

Source: PortaldoBitcoin Original Title: OpenAI, owner of ChatGPT, confirms data breach – find out if you were affected Original Link: OpenAI (the parent company of ChatGPT) confirmed that its analytics provider Mixpanel experienced a security breach earlier this month, resulting in the leak of some user data, including email addresses and location information. The incident was confirmed by the company on Wednesday (26th), raising concerns that cybercriminals may use the stolen information for targeted phishing attacks.

According to Mixpanel, on November 8, an intruder gained access to part of its systems and exported a dataset containing metadata and analytics information that could identify customers. The stolen data includes usernames, email addresses, approximate locations based on browsers, operating system, and browser details.

OpenAI stated that the violation did not include user prompts, API keys, payment information, or authentication tokens.

OpenAI stated that the leaked data only comes from users accessing the technology via the API—specifically through external applications using GPT. In other words, if you access the ChatGPT chatbot directly from the OpenAI website, you will not be affected.

“As part of our security investigation, we have removed Mixpanel from production services, reviewed the affected datasets, and are working closely to fully understand the incident and its scope,” OpenAI said in a statement.

Founded in 2009, Mixpanel is headquartered in San Francisco, California, USA, and is a product analytics platform used to track user behavior in web and mobile applications. The company reported detecting “smishing” activity and, after preliminary investigation and response, alerted OpenAI the following day.

“We are committed to transparency and are notifying all affected customers and users,” said OpenAI. “We also require our partners and vendors to adhere to the highest security and privacy standards.”

Smishing is a phishing attack conducted via text messages. According to a recent report by infrastructure management company Spacelift, this type of activity accounted for 39% of all mobile threats in 2024.

Mixpanel stated that it has secured the affected accounts, revoked active sessions, replaced compromised credentials and blocked malicious IP addresses. The company also reset employee passwords, hired an external cybersecurity firm, and reviewed authentication, session, and export logs.

After a security breach, Mixpanel stated that it has begun notifying affected customers.

“If you have not received our direct communication, it means you have not been affected,” said Jen Taylor, CEO of Mixpanel, in a statement. “We continue to prioritize security as a fundamental principle of our company, products, and services. We are committed to supporting our customers and communicating this incident transparently.”

Although Mixpanel reported the incident to OpenAI, the ChatGPT developer stated that they are terminating their partnership with the data analytics company. “After analyzing the incident, OpenAI has stopped using Mixpanel,” they wrote.

Some customers of OpenAI have turned to social media to express their frustration over third-party services obtaining disclosures of their information.

“I am not satisfied with this at all. […] Why do they have to pass my name and email address to Mixpanel?” a user wrote. “I am just an amateur trying to do some small experiments.”

“The fact that OpenAI sends names and email addresses to a third-party analytics platform (Mixpanel) seems extremely irresponsible,” wrote another user.

OpenAI and Mixpanel did not immediately respond to requests for comment.