OpenAI confirms data breach via analytics provider Mixpanel
OpenAI has confirmed a security incident involving its third-party analytics provider, Mixpanel, which led to the exposure of limited user data connected to its API platform.
The company stated that its own systems were unaffected and that user credentials, payment information, and API data were not compromised, News.Az reports, citing foreign media.
The incident involved unauthorized access to a dataset within Mixpanel’s systems, resulting in the export of data containing identifiable information of some API account users.
Potentially exposed details included names associated with API accounts, email addresses, approximate locations, operating system and browser information, referring websites, and organization or user IDs linked to the accounts.
OpenAI emphasized that no chat logs, API requests, passwords, keys, payment details, or sensitive identification documents were accessed. The breach affected only data collected for analytics purposes through Mixpanel.
OpenAI has ended its use of Mixpanel in its production services and reviewed all datasets involved in the incident. The company stated that it has worked with Mixpanel and other partners to assess the scope of the breach and is communicating directly with organisations and users affected.
OpenAI said there is no evidence that the incident impacted any systems or information outside of Mixpanel's environment. The company has nevertheless stated that it continues to monitor for potential misuse of the affected data.
OpenAI is carrying out expanded security audits across its entire vendor ecosystem and is raising security requirements for all third-party partners. OpenAI also stated that it will hold external vendors to higher security standards as part of its ongoing response.
Information potentially accessed through Mixpanel may expose users to an increased risk of phishing or social engineering attempts.
Names, email addresses, and user identifiers were among the details exposed. OpenAI has advised all customers and users to remain vigilant for any suspicious or unsolicited communications that could be related to this incident. The company reiterated that it does not request sensitive information such as passwords, API keys, or verification codes via email, text, or chat.
Users have also been encouraged to enable multi-factor authentication as an additional protective measure for their accounts.
Similar news
