OpenAI has issued a global security alert to millions of ChatGept users following a data breach at Mixpanel, the third-party analytics provider used for its API platform. The company issued a worldwide alert this week, leaving many users wondering if their data had been compromised. However, OpenAI has now clarified that the incident occurred entirely within Mixpanel’s systems, not within OpenAI’s own infrastructure.

Why is OpenAI sending warnings to ChatGPT users?

To avoid confusion and maintain transparency, OpenAI sent a warning to all ChatGPT users, whether they were affected or not. According to the company, only a limited subset of the analytics data associated with its API product was exposed. Importantly, OpenAI has confirmed that no chat histories, passwords, API keys, payment details, government IDs or usage logs have been compromised.

The company notes that the compromised dataset includes analytics information from platform.openai.com, which is used by developers and organizations accessing OpenAI’s API products. It also reiterated that regular ChatGPT users, who use the website or mobile app for everyday conversations, are not affected by this security breach and need not take any action.

What are the security concerns?

OpenAI explains that the security breach stems from an incident that Mixpanel discovered on November 9, when an attacker gained unauthorized access to part of its system and exported analytics data. Mixpanel informed OpenAI that the compromised dataset contained limited customer-identifiable information. OpenAI received the full affected dataset on November 25 and began issuing alerts shortly after.

Although the notification was sent to all users, only those with an API account were potentially affected and were contacted directly with specific guidance.

Which users are affected by the ChatGPT warning?

OpenAI has made it clear that regular ChatGate users, who use chatbots on the website or mobile app for everyday conversations, are not affected by the breach. Their data was not included, and no further action is required.

The only group that may be affected are API product users, such as developers, companies or organizations that use platform.openai.com to integrate OpenAI’s API services. These users have been notified directly with more detailed information.

The exposed data includes basic profile information such as name, email addresses, estimated location based on browser data, operating system and browser details, referring websites, and organization or user IDs associated with API accounts.

OpenAI reassures users that although this information is not highly sensitive, it can still be misused for phishing or social engineering attacks. As a precaution, the company has removed Mixpanel from all production environments and permanently terminated use of the analytics service.

OpenAI urges users to remain vigilant

In its advisory, OpenAI also urged API users to be vigilant about suspicious messages, especially those that appear credible or reference OpenAI products. Users are encouraged to double-check that any communication claiming to be from OpenAI is sent from an official domain, avoid clicking unexpected links, and never share sensitive credentials via email, text, or chat. The company also advised enabling multi-factor authentication and avoiding public sharing of organization or user IDs, which could be exploited by attackers.