Article Details

OpenAI cuts off Mixpanel after analytics leak exposes API users. ChatGPT maker places other vendors under review following breach. OpenAI says API users may be affected by a recent breach at its former data analytics provider, Mixpanel. Limiting the exposure somewhat, only users of OpenAI's platform – its tools to develop AI-powered products – are affected. Typical users of ChatGPT need not worry unless they too use the API. Mixpanel detected the data breach on November 9 and shared the dataset with OpenAI on November 25. The data types involved pertain to profile information associated with OpenAI platform accounts and includes names, email addresses, approximate locations, operating system and browser details, referring websites, and organization or user IDs associated with the account. OpenAI said it dropped Mixpanel as a result of the attack and is carrying out wider security reviews across its vendor ecosystem, elevating the requirements for each. It said in an announcement: "As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope. We are in the process of notifying impacted organizations, admins, and users directly. While we have found no evidence of any effect on systems or data outside Mixpanel's environment, we continue to monitor closely for any signs of misuse.  "Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel." OpenAI did not reveal how many users might be affected by the Mixpanel breach, but confirmed it is notifying them directly. The Register asked for more information. As you'd expect from a breach notification, the company warned users to be wary of possible phishing attempts, but said they don't need to go as far as resetting their passwords. The main concerns here are convincing emails that contain suspicious links or attachments, or attempt to capture passwords and verification codes. OpenAI's public statement on the matter is a carbon copy of the information issued to affected customers directly, which has been shared by security pros on social media. The ChatGPT maker said it formerly used Mixpanel for web analytics to better understand how customers used its API, before dropping it in the wake of the breach. The Register also asked Mixpanel for its take on the breach and OpenAI's decision to terminate its agreement, but it only directed us back to OpenAI's statement.