Artificial intelligence firm OpenAI has disclosed a significant security incident that exposed the personal information of certain ChatGPT users. The company confirmed that attackers gained unauthorised access to user data through its third-party analytics provider, Mixpanel.
What Happened in the Security Breach?
The cybersecurity incident occurred on 9 November 2025, when malicious actors compromised systems belonging to Mixpanel, OpenAI's data analytics partner. According to OpenAI's official statement, this was not a direct breach of OpenAI's own systems, but rather an attack on the third-party service provider.
Stolen information includes users' names, email addresses, location data, operating system details and browser information. Importantly, OpenAI emphasised that only users with accounts to access the company's API interfaces were affected by this cyber attack.
What Information Remains Secure?
OpenAI moved quickly to reassure users about what data was not compromised in the incident. The company stated that no chat histories, API requests, API usage data, passwords, credentials, API keys, payment details or government identification documents were exposed.
In response to the breach, OpenAI has removed Mixpanel from its production services and is conducting a comprehensive security investigation. The company stated: "The security and privacy of our products are paramount, and we remain resolute in protecting your information and communicating transparently when issues arise."
Potential Risks and Protective Measures
While no evidence has emerged of the stolen data being misused, OpenAI warned that hackers could employ it in phishing or social engineering attacks. The company advised affected users to "remain vigilant for credible-looking phishing attempts or spam".
This isn't the first security issue to impact ChatGPT users since the AI chatbot launched in November 2022. In March 2023, researchers discovered a bug that allowed some users to view others' private details, including partial payment information. Later that year, malware infections on over 100,000 devices stole ChatGPT login credentials, though OpenAI's infrastructure remained secure.
Following this latest breach, OpenAI committed to conducting additional security reviews of all third-party applications and services, while also elevating security requirements for partners and vendors.
