OpenAI said a Mixpanel breach exposed API user metadata—and urged customers to watch for phishing attacks.
- Mixpanel said an attacker accessed part of its systems and exported customer-identifiable metadata.
- OpenAI said no prompts, API keys, payment information, or authentication tokens were involved.
- Both companies reviewed the incident, notified affected users, and outlined new security steps
-
A breach at analytics provider Mixpanel earlier this month exposed account names, email addresses, and browser locations for some users of OpenAI’s API, the AI giant confirmed Wednesday, raising concerns that cybercriminals could use the stolen metadata in targeted phishing attempts.
According to Mixpanel, on November 8, an unknown attacker gained access to part of its systems and exported a dataset containing customer-identifiable metadata and analytics information. The stolen data included usernames, email addresses, approximate browser-based location, operating system, and browser details.
OpenAI said the breach did not include users’ prompts, API keys, payment information, or authentication tokens.
Only data from users who accessed OpenAI’s tech via the API—aka, via external apps powered by GPT—was leaked, the company said. In other words, if you access the ChatGPT chatbot directly from OpenAI’s website, then you won’t be impacted here.
-
“As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope,” OpenAI said in a statement.
Founded in 2009, the San Francisco-based Mixpanel is a product analytics platform used to track user behavior across web and mobile applications. The company said it detected the “smishing” campaign, and after an initial investigation and response, alerted OpenAI the next day.
“We are committed to transparency, and are notifying all impacted customers and users,” OpenAI said. “We also hold our partners and vendors accountable for the highest bar for security and privacy of their services.”
Mixpanel said it secured affected accounts, revoked active sessions, rotated compromised credentials, and blocked malicious IP addresses. The company also reset employee passwords, hired external cybersecurity firms, and reviewed authentication, session, and export logs.
After the breach, Mixpanel said it began notifying impacted customers about the incident.
“If you have not heard from us directly, you were not impacted,” Mixpanel CEO Jen Taylor said in a statement. “We continue to prioritize security as a core tenet of our company, products, and services. We are committed to supporting our customers and communicating transparently about this incident.”
(Courtesy:Dycrypt.co)
