OpenAI has terminated its partnership with analytics firm Mixpanel following a data breach that exposed the personal information of developers using its API platform. The incident, which OpenAI publicly disclosed on November 27, 2025, stems from an unauthorized intrusion into Mixpanel’s systems on November 9, 2025. While Mixpanel alerted OpenAI to the investigation shortly after the breach, the specific dataset confirming the exposure of OpenAI developer profiles was not shared until November 25, 2025.
The breach is strictly limited to users of platform.openai.com, the environment where developers build and manage applications using OpenAI’s models. OpenAI has explicitly confirmed that the incident did not touch its own infrastructure or the consumer-facing ChatGPT service.
Critical security credentials—including passwords, API keys, payment information, and government IDs—remain secure. However, the leaked dataset contains metadata that could be weaponized for targeted social engineering attacks. Exposed fields include the names and email addresses associated with API accounts, organization IDs, User IDs, browser and operating system details, referring websites, and coarse location data derived from browser sessions.
In response to the vendor failure, OpenAI has removed Mixpanel from its production services and is conducting an expanded security review of its entire third-party ecosystem. Although the breach did not compromise authentication tokens, OpenAI is advising all users to enable multi-factor authentication (MFA) as a precautionary defense against future credential stuffing or phishing attempts that may leverage the leaked profile data. This event underscores the supply chain vulnerabilities inherent in scaling software platforms; even when a primary company’s fortress is secure, the third-party analytics and utility providers integrated into their stack can serve as open backdoors for data exfiltration.
