On November 26, 2025, OpenAI reported a security incident that affected Mixpanel, an external web analytics provider used in the interface of their API product (platform.openai.com). Worried your information might be at risk? How bad is it, and what can you do right now? Below I explain in plain language what happened, which data may have been exposed, and practical steps you can take immediately.
What happened exactly
On November 9, 2025 Mixpanel detected unauthorized access to part of its systems and, on November 25, shared with OpenAI the dataset the attacker had exported. This occurred within Mixpanel’s systems — it was not access to OpenAI’s infrastructure.
There was no compromise of chats, API requests, API keys, passwords, payment information, or government IDs. ChatGPT users were not affected either.
What data may have been affected
OpenAI reports the exposed information was limited and related to usage of the API console (platform.openai.com). Items that may have been included:
- Name that appeared on the API account
- Email address associated with the API account
- Approximate location (city, state, country) based on the browser
- Operating system and browser used
- Referring websites
- Organization or user IDs linked to the API account
If you work at an organization that uses the API, your admin — or you — may receive a direct notification if you were impacted.
What OpenAI did in response
OpenAI removed Mixpanel from its production services, reviewed the affected datasets, and is cooperating with Mixpanel to understand the scope. They are also notifying affected organizations, admins, and users directly.
Additionally, OpenAI announced it has ended its use of Mixpanel and is conducting expanded security reviews with other providers. In short: provider change, review, and ongoing monitoring.
Main risks: phishing and impersonation
The biggest concern here isn’t stolen keys — it’s social engineering. With names, emails, and account metadata, an attacker can craft very convincing emails or messages.
- Stay on guard: any unexpected message with links or attachments could be phishing.
- Verify senders: check that emails claiming to be from OpenAI come from official domains.
- Remember: OpenAI will not ask for passwords, API keys, or verification codes via email or messages.
Imagine an email that looks like a support alert and asks you to “confirm your API key” via a link. That’s exactly the kind of trap to watch for.
What you can do now (concrete actions)
- Enable multi-factor authentication (MFA) on your account if you haven’t already. It’s a simple, effective barrier.
- If you’re an admin: wait for OpenAI’s official notification and review the list of affected users. Communicate internally and raise phishing awareness.
- Educate your team: share phishing examples and ask people to be cautious with unexpected links or files.
- Don’t rotate passwords or keys on impulse if you have no evidence they were compromised; OpenAI does not recommend mandatory rotations for this incident.
- Monitor for unusual activity in your systems and report any suspicious attempts.
Should I worry about my prompts, finances or API keys?
No: OpenAI confirms that prompts, responses, API usage data, API keys, passwords, payment information, and session tokens were not affected. Products like ChatGPT were not impacted.
What to watch for in the medium term
OpenAI says it will keep users informed if new data emerges that affects people or businesses. They’ve also raised security requirements for their providers, which should reduce future risks.
And if you get an email that looks legitimate but asks for information? Better to check the company’s official channel or talk to your admin before replying.