OpenAI has disclosed that some users of its API platform may have had their personal information exposed after attackers breached Mixpanel, a third-party web analytics vendor the company used for performance tracking. The breach, which occurred on 9 November 2025, resulted in unauthorised access to customer-linked metadata including usernames, email addresses, organisation or user IDs, browser details and approximate geographical location.
In a statement published Thursday, November 27, OpenAI said Mixpanel notified the company that it was investigating the breach, later sharing affected datasets on November 25. The AI firm emphasised that none of its internal systems were compromised during the incident, and added that the leak did not include chat logs, passwords, authentication tokens, API keys, payment information or identity documents. Front-end users of ChatGPT and other OpenAI consumer products were not affected.
OpenAI’s API platform allows developers to integrate its AI models into products and applications through paid access, making the breach particularly significant for enterprise customers. Mixpanel, which OpenAI has now discontinued using, provided analytics to improve service performance and optimise API consumption.
The company has not confirmed how many users were impacted. However, security analysts warn that exposed personal information may increase the risk of phishing, credential-stuffing attacks and social-engineering attempts targeted at developers and organisations.
The disclosure follows shortly after India introduced its Digital Personal Data Protection Rules, heightening regulatory attention on breach reporting. Some provisions of the new law are already active, with broader compliance and breach-notification obligations expected to take effect over the next 18 months.
OpenAI says it is directly contacting affected organisations, administrators and users. The company advised customers to remain alert for suspicious emails, verify communication sources and enable multi-factor authentication to secure their accounts. It also reiterated that it does not request passwords, API keys or verification codes via email, text or chat.
