Asger Risom
OpenAI warns API users after external security breach exposes personal data
OpenAI is alerting developers to a security incident that exposed limited personal information belonging to some API users, after a third-party analytics provider was breached earlier this month. The company says the issue did not involve a breach of OpenAI’s own systems and that ChatGPT users were not affected.
The incident stems from an attack on Mixpanel, a web analytics service previously used on OpenAI’s API dashboard. According to OpenAI, the attacker exported a dataset containing certain account identifiers but no sensitive credentials or chat data. OpenAI says it has now removed Mixpanel from all production environments.
What happened in the breach
Mixpanel notified OpenAI on November 9 that an attacker had gained unauthorized access to part of its systems. Investigators determined the attacker had exported a dataset containing limited profile information from customers who used the API dashboard at platform.openai.com.
On November 25, Mixpanel provided OpenAI with the affected dataset. OpenAI says it immediately reviewed the files, cut Mixpanel off from its services and began notifying impacted organizations and users directly.
The company emphasized that no API keys, passwords, payment information, chat logs, prompts or outputs were exposed. There was also no access to OpenAI’s infrastructure or internal systems.
What data was exposed
OpenAI says the compromised dataset may have included basic profile information provided by API users:
– Name associated with the API account
– Email address
– Approximate coarse location (city, state, country)
– Browser and operating system information
– Referring websites
– Organization and user IDs used for the API dashboard
The company says none of this information would allow unauthorized access to any OpenAI products or accounts.
The risk now: phishing and social engineering
Although no credentials or API keys were leaked, OpenAI is warning users that exposed names and email addresses could be used for phishing attempts.
The company advises API users to be cautious of unexpected emails, especially those asking for credentials or containing links. OpenAI reiterated that it never asks for passwords, API keys or verification codes via email or chat.
Multi-factor authentication is recommended, though OpenAI says there is no need to reset passwords or rotate API keys as part of this incident.
OpenAI’s response and next steps
OpenAI says it has terminated all use of Mixpanel and is expanding security reviews across its vendor ecosystem. The company says it is raising security requirements for partners and monitoring for any signs of misuse related to the incident.
“We are committed to transparency,” the company said in its disclosure, adding that all impacted users will receive direct notification. OpenAI says it will update customers if new information emerges.
A dedicated support channel has been opened for questions related to the breach: mixpanelincident@openai.com
Sources: OpenAI
