OpenAI confirms new data breach, exposing names, emails, more (www.windowscentral.com)

OpenAI disclosed a security incident tied to a third‑party analytics vendor, Mixpanel, that exposed limited account-identifying data for users of platform.openai.com (API customers). The leaked fields include account names, email addresses, coarse IP-based locations, OS/browser type, referring sites, organizations and user IDs saved to API accounts. OpenAI says ChatGPT chat content, API request payloads, API keys, passwords, payment details and government IDs were not exposed. Mixpanel detected unauthorized access on Nov 9, shared the affected dataset with OpenAI on Nov 25, and OpenAI has since disabled its Mixpanel integration while investigating and warning users to watch for phishing and social‑engineering attempts. For the AI/ML community this underscores two lessons: even non‑sensitive metadata can enable targeted attacks, correlation and deanonymization of developers and customers, and reliance on third‑party analytics expands the attack surface for platforms that host sensitive models and data. Technical implications include increased risk of spear‑phishing against developers or orgs, easier account reconnaissance, and potential linkage of public footprints to private API usage. Recommended mitigations are stricter data‑minimization and vendor audits, segmentation of telemetry, rotation and hardening of account credentials, mandatory multifactor authentication, and careful review of what metadata is sent to analytics services.