Overview
- OpenAI says Mixpanel was hit by a smishing attack detected on November 8, shared the affected dataset on November 25, and the exposure was disclosed publicly this week.
- Exposed items were profile and telemetry fields for some API accounts—names, email addresses, coarse location, browser and OS details, referrers, and organization or user IDs—rather than chats or credentials.
- The scope is limited to developer accounts on platform.openai.com, with no impact on consumer ChatGPT services or OpenAI’s own backend systems.
- OpenAI has removed Mixpanel from production, terminated the relationship, begun direct notifications to impacted organizations and users, and initiated broader reviews of third‑party vendors.
- Mixpanel says it revoked sessions, rotated credentials, reset employee passwords, and involved forensics and law enforcement, while neither company has disclosed how many users were affected.