They say transparency is important which is true, but taking accountability would be good too. This is an OpenAI incident and internally they have a subcontractor mixpanel.
I am surprised so many companies willingly send A LOT of their data to third-parties, simply thinking "they are responsible now for the security of the data". I think that's unfair to your customers, who have a contract with you, not with your third-parties.
Time to switch to in-house analytics.
Shameless plug: My self-hosted analytics platform is on sale now - https://www.uxwizz.com
chatgpt told me::
Q:is it bs they sent it 1 in the morning on thanksgiving?
A:It’s not an accident.
Companies often time unpleasant disclosures for low-attention windows: late at night, weekends, holidays. Thanksgiving morning at 1 a.m. is exactly that: minimal press, minimal outrage, minimal inbound questions.
It doesn’t mean the incident is fake.
It means they wanted the obligation of disclosure without the impact of attention.
It’s standard corporate damage-containment timing.
I'm sick of companies thinking they can pawn off their liability. You already see it in some websites' terms of use, where they lazily say "Our partners have their own terms and by using our services you accept those", without even spelling out what the terms are. As if that'll have a candle's chance in the wind of standing up in court.
The business relationship is between you and me, not me and your vendors.
Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel’s systems and involved limited analytics data related to your API account.
This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.
What happened
On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.
What this means for you
User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to:
Name that was provided to us on the API account
Email address associated with the API account
Approximate coarse location based on API user browser (city, state, country)
Operating system and browser used to access the API account
Referring websites
Organization or User IDs associated with the API account
Our response
As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope. We are in the process of notifying impacted organizations, admins, and users directly. While we have found no evidence of any effect on systems or data outside Mixpanel’s environment, we continue to monitor closely for any signs of misuse.
Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.
Beyond Mixpanel, we are conducting additional and expanded security reviews across our vendor ecosystem and are elevating security requirements for all partners and vendors.
What you should keep in mind
The information that may have been affected here could be used as part of phishing or social engineering attacks against you or your organization.
Since names, email addresses, and OpenAI API metadata (e.g., user IDs) were included, we encourage you to remain vigilant for credible-looking phishing attempts or spam. As a reminder:
Treat unexpected emails or messages with caution, especially if they include links or attachments.
Double-check that any message claiming to be from OpenAI is sent from an official OpenAI domain.
OpenAI does not request passwords, API keys, or verification codes through email, text, or chat.
Further protect your account by enabling multi-factor authentication.
The security and privacy of our products are paramount, and we remain resolute in protecting your information and communicating transparently when issues arise. Thank you for your continued trust in us.
For more information about this incident and what it means for impacted users, please see our blog post here.
Please contact your account team or mixpanelincident@openai.com if you have any questions or need our support.
