OpenAI discloses API customer data breach via Mixpanel vendor hack (www.bleepingcomputer.com)

OpenAI says a breach at third‑party analytics vendor Mixpanel exposed limited identifying analytics for some ChatGPT API customers. Mixpanel, hit by a smishing (SMS‑phishing) campaign detected on Nov. 8, shared details of the affected dataset with OpenAI on Nov. 25. Exposed fields may have included account name and email, coarse location (city/state/country), device OS and browser, referring websites, and organization or user IDs. OpenAI stresses its systems were not breached and no chat logs, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were exposed. Mixpanel and affected customers (including reports of CoinTracker) have had compromised sessions revoked, credentials rotated, employee passwords reset, and additional controls applied. The incident highlights third‑party telemetry as an attack surface for AI platforms: even non‑sensitive analytics can enable convincing phishing or social‑engineering campaigns against developers and admins. OpenAI removed Mixpanel from production, began direct notifications, and urged users to enable 2FA, avoid sharing secrets over email/SMS/chat, and verify links come from official OpenAI domains. For operators and security teams, the event underscores the need to inventory vendor data flows, minimize captured PII in analytics, and apply strict access controls and monitoring on external telemetry services.