Mixpanel security incident: what OpenAI users need to know
OpenAI News我们重视透明度,因此在此告知您一起近期安全事件,涉事方为第三方数据分析服务商 Mixpanel ,该公司曾被 OpenAI 用于我们 API 产品前端的网页分析( platform.openai.com )。
该事件发生在 Mixpanel 的系统内部,涉及与部分 API 用户相关的有限分析数据。 ChatGPT 等其他产品的用户未受影响。
这不是对 OpenAI 系统的入侵。没有聊天内容、 API 请求、 API 使用数据、密码、凭证、 API 密钥、支付信息或政府身份证件被泄露或暴露。
事件经过
2025 年 11 月 9 日, Mixpanel 发现有攻击者获得其部分系统的未授权访问,并导出了一份包含有限客户可识别信息和分析信息的数据集。 Mixpanel 通知了 OpenAI 并在 2025 年 11 月 25 日将受影响的数据集交付给我们。
对受影响用户的影响
与使用 platform.openai.com 相关的用户资料信息可能出现在从 Mixpanel 导出的数据中。被暴露的信息范围有限,可能包括:
- 在 API 账户中提供的姓名
- 与 API 账户关联的电子邮件地址
- 基于用户浏览器的大致位置(城市、州/省、国家)
- 用于访问该 API 账户的操作系统和浏览器信息
- 来源网站(Referring websites)
- 与 API 账户关联的机构或 User IDs
我们的应对
在安全调查过程中,我们已将 Mixpanel 从生产服务中移除,审查了受影响的数据集,并与 Mixpanel 及其他合作伙伴密切协作,以全面评估事件及其范围。我们正在直接通知受影响的机构、管理员和用户。截至目前尚无证据显示事件影响了 Mixpanel 环境以外的系统或数据,但我们将持续密切监控任何滥用迹象。
信任、安全与隐私是我们产品、组织与使命的基石。我们承诺透明公开,正在通知所有受影响的客户与用户,并要求合作伙伴与供应商对其服务的安全与隐私承担最高标准。审查此事件后, OpenAI 已终止使用 Mixpanel 。
除 Mixpanel 外,我们正对整个供应商生态进行更广泛的安全审查,并提高对所有合作方与供应商的安全要求。
您需要注意的事项
此次可能被影响的信息,可能被用于针对您或您所在组织的网络钓鱼或社工攻击。由于包含姓名、电子邮件地址和 OpenAI 的 API 元数据(例如 User IDs ),我们建议您对看起来可信的钓鱼或垃圾信息保持高度警惕。具体建议包括:
- 对意外收到的邮件或消息保持谨慎,尤其是包含链接或附件的内容;
- 核实任何自称来自 OpenAI 的消息是否来自官方域名;
- OpenAI 不会通过电子邮件、短信或聊天索取密码、 API 密钥或验证码;
- 为进一步保护您的账户,请启用多因素认证( multi-factor authentication ,简称 MFA )。
我们高度重视产品的安全与隐私,将继续保护您的信息并在出现问题时透明通报。感谢您对我们的持续信任。
OpenAI
常见问题
为什么 OpenAI 使用 Mixpanel ?
- Mixpanel 被用于作为第三方网站分析提供商,帮助我们了解产品使用情况并改进 API 产品( platform.openai.com )的服务。
这是由于 OpenAI 系统中的漏洞造成的吗?
- 不是。此事件仅限于 Mixpanel 的系统,未涉及对 OpenAI 基础设施的未授权访问。
我或我的组织如何知道是否受到影响?
- 我们正在通知受影响对象,会通过电子邮件直接联系您或您组织的管理员告知具体情况。
我的 API 数据、提示(prompts)或模型输出会受到影响吗?
- 不会。聊天内容、提示、回复或 API 使用数据未受影响。
ChatGPT 账户是否受到影响?
- 未受影响。 ChatGPT 及其他产品的用户未受到此事件影响。
我的 OpenAI 密码、 API 密钥或支付信息是否被泄露?
- 没有。 OpenAI 的密码、 API 密钥、支付信息、政府身份证件及账户访问凭证未受影响。我们也已确认 OpenAI 服务的 session tokens、authentication tokens 及其他敏感参数未受影响。
我需要重置密码或轮换 API 密钥吗?
- 由于密码和 API 密钥未受影响,我们不建议因该事件而进行重置或轮换。
你们在保护我的个人信息和隐私方面做了什么?
- 我们已取得受影响的数据集以便独立审查,正在继续调查潜在影响并密切监控滥用迹象。我们正在通知所有受影响的个人用户和机构,并就进一步应对措施与 Mixpanel 保持联系。
Mixpanel 已从 OpenAI 产品中移除了吗?
- 是的。
我应该启用多因素认证吗?
- 应该。尽管本次事件未影响账户凭证或令牌,但作为最佳实践,我们建议所有用户启用多因素认证( multi-factor authentication / MFA )。对于企业与组织,建议在单点登录层面启用 MFA。
如果情况有变化,我会收到进一步更新吗?
- 我们承诺透明,如发现可能实质影响受影响用户的新信息,会及时通知并更新本常见问题。
如有疑问可以联系谁?
- 如有问题、疑虑或安全事项,请联系 support: mixpanelincident@openai.com 。
Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com).
The incident occurred within Mixpanel’s systems and involved limited analytics data related to some users of the API. Users of ChatGPT and other products were not impacted.
This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.
What happened
On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.
What this means for impacted users
User profile information associated with the use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to:
- Name that was provided to us on the API account
- Email address associated with the API account
- Approximate coarse location based on API user browser (city, state, country)
- Operating system and browser used to access the API account
- Referring websites
- Organization or User IDs associated with the API account
Our response
As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope. We are in the process of notifying impacted organizations, admins, and users directly. While we have found no evidence of any effect on systems or data outside Mixpanel’s environment, we continue to monitor closely for any signs of misuse.
Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.
Beyond Mixpanel, we are conducting additional and expanded security reviews across our vendor ecosystem and are elevating security requirements for all partners and vendors.
What you should keep in mind
The information that may have been affected here could be used as part of phishing or social engineering attacks against you or your organization.
Since names, email addresses, and OpenAI API metadata (e.g., user IDs) were included, we encourage you to remain vigilant for credible-looking phishing attempts or spam. As a reminder:
- Treat unexpected emails or messages with caution, especially if they include links or attachments.
- Double-check that any message claiming to be from OpenAI is sent from an official OpenAI domain.
- OpenAI does not request passwords, API keys, or verification codes through email, text, or chat.
- Further protect your account by enabling multi-factor authentication.
The security and privacy of our products are paramount, and we remain resolute in protecting your information and communicating transparently when issues arise. Thank you for your continued trust in us.
OpenAI
FAQ
Why did OpenAI use Mixpanel?
- Mixpanel was used as a third-party web analytics provider to help us understand product usage and improve our services for our API product (platform.openai.com)
Was this caused by a vulnerability in OpenAI’s systems?
- No. This incident was limited to Mixpanel’s systems and did not involve unauthorized access to OpenAI’s infrastructure.
How do I know if my organization or I were impacted?
- We are in the process of notifying those impacted now, and we will reach out to you, or your organization admin, directly via email to inform you.
Was any of my API data, prompts, or outputs affected?
- No. Chat content, prompts, responses, or API usage data were not impacted.
Were ChatGPT accounts affected by this?
- No. Users of ChatGPT and other products were not impacted.
Were OpenAI passwords, API keys, or payment information exposed?
- No. OpenAI passwords, API keys, payment information, government IDs, and account access credentials were not impacted. Additionally, we have confirmed that session tokens, authentication tokens, and other sensitive parameters for OpenAI services were not impacted.
Do I need to reset my password or rotate my API keys?
- Because passwords and API keys were not affected, we are not recommending resets or key rotation in response to this incident.
What are you doing to protect my personal information and privacy?
- We have obtained the impacted datasets for independent review and are continuing to investigate potential impact, and monitor closely for any signs of misuse. We are notifying all individually impacted users and organizations and are in contact with Mixpanel on further response actions.
Has Mixpanel been removed from OpenAI products?
- Yes.
Should I enable multi-factor authentication for my account?
- Yes. While account credentials or tokens were not impacted in this incident, as a best practice security control, we recommend all users enable multi-factor authentication to further protect their accounts. For enterprises and organizations, we recommend that MFA is enabled at the single sign-on layer.
Will I receive further updates if something changes?
- We’re committed to transparency and will keep you informed if we identify new information that materially affects impacted users. We will also update this FAQ.
Is there someone I can reach out to if I have questions?
- If you have questions, concerns, or security issues, you can reach our support team at mixpanelincident@openai.com.
Generated by RSStT. The copyright belongs to the original author.