OpenAI, the company behind the popular AI chatbot ChatGPT, has sent emails to users informing them of a security incident involving Mixpanel, a third-party analytics provider, that exposed limited ChatGPT user information from its API platform, due to the data breach.
In its email, OpenAI notified that the breach occurred on November 9, when an attacker gained unauthorised access to Mixpanel's systems and exported a dataset containing limited customer identifiable information and analytics data. Mixpanel shared the affected dataset with OpenAI on November 25, prompting the company to notify impacted users.
"As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope. We are in the process of notifying impacted organisations, admins, and users directly. While we have found no evidence of any effect on systems or data outside Mixpanel’s environment, we continue to monitor closely for any signs of misuse," OpenAI said in a statement.
ChatGPT users were not impacted
OpenAI stated the incident involved limited analytics data related to API accounts, but emphasised that ChatGPT users and other product users were not impacted. No chat content, API requests, passwords, credentials, API keys, payment details, or government IDs were compromised.
The exposed information includes names provided to OpenAI on API accounts, email addresses, approximate locations based on web browser data, device details including browser and operating system, and user IDs associated with API accounts.
Following the incident, OpenAI has terminated its use of Mixpanel and is conducting additional security reviews across its vendor ecosystem, while elevating security requirements for all partners and vendors.
The company warns that the exposed information could potentially be used for phishing or social engineering attacks. OpenAI reminds users that it never requests passwords, API keys, or verification codes through email, text, or chat. While password resets are not required, OpenAI recommends all users enable multi-factor authentication as a security best practice.
