OpenAI has alerted its API customers to a security incident at Mixpanel, a third-party analytics provider, which resulted in the exposure of limited user information connected to platform.openai.com. The company emphasised that the breach occurred within Mixpanel’s systems and did not compromise OpenAI’s own infrastructure.
According to the notification, Mixpanel discovered on 9 November 2025 that an attacker had gained unauthorised access to part of its environment and exported a dataset used for customer analytics. Mixpanel informed OpenAI during its investigation and, on 25 November, shared the affected dataset for review.
The information potentially exposed relates to routine web analytics collected on API user accounts. This includes user names and email addresses associated with API profiles, coarse location inferred from browser data such as city and country, details about operating systems and browsers, referring websites, and internal organisation or user IDs. OpenAI noted that no chat content, API requests, usage logs, passwords, API keys, payment details or government identification documents were included.
OpenAI has removed Mixpanel from its production systems as a precaution and is working with the vendor to assess the incident in detail. Impacted administrators and users are being notified directly. The company said there is currently no evidence of misuse or any impact beyond Mixpanel’s environment, but monitoring will continue.
The incident highlights the dependence of technology platforms on external analytics and service providers, an issue that the Global South and emerging digital economies often cite when discussing data sovereignty and supply-chain security. OpenAI stated that it holds its partners to firm security standards and is committed to transparent communication with customers.
The company added that trust, security and privacy remain central to its operations and that it is taking steps to strengthen oversight of third-party tools.
