Paubox reports on the recent Mixpanel incident and why it matters:
OpenAI experienced a third-party data breach on November 9, 2025, when its vendor, Mixpanel, reported unauthorized access within its own systems.
What happened
According to OpenAI’s own disclosure of the incident on November 28, 2025, the attacker exported a dataset containing limited customer identifiable analytics tied to OpenAI API accounts. This led to OpenAI removing Mixpanel from production and beginning its own investigation.
The company noted in its response that the breach happened inside Mixpanel’s environment, not OpenAI’s own. No chat content, API keys, passwords, credentials, or payment data were exposed. The compromised information included names, email addresses, approximate locations, device, and browser details.
OpenAI notified all affected organizations, administrators, and users directly and warned that the most realistic fallout for developers is targeted phishing because attackers have the metadata needed to craft credible messaging .
What was said
The Mixpanel notice of security incident provided, “Out of transparency and our desire to share with our community, this blog post contains key information about a recent security incident that impacted a limited number of our customers. On November 8th, 2025, Mixpanel detected a smishing campaign and promptly executed our incident response processes. We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts. We engaged external cybersecurity partners to remediate and respond to the incident.”
Why it matters
The incident did not start inside OpenAI’s own systems but is an example of the effect vendors can have on internal data privacy. Mixpanel wasn’t handling anything sensitive like chat logs or API keys, yet the profile details it held are exactly the kind of breadcrumbs attackers use to launch convincing phishing campaigns.
Read more at Paubox.
