OpenAI has warned its users that limited analytics data associated with some of its API product users may have been exposed following a security incident at its third-party data analytics provider, Mixpanel. The incident, which it said did not involve a breach of OpenAI’s systems or those of ChatGPT users, occurred within Mixpanel’s environment, the company confirmed in a blog post. An attacker earlier this month gained unauthorised access to Mixpanel’s systems and exported a dataset. OpenAI was notified and received the affected data on November 25. The company repeated that exposed data, linked only to accounts using the API product, was limited to non-sensitive user profile information. This information may have included:
- Name provided on the API account
- Email address associated with the API account
- Approximate location (city, state, country)
- Operating system and browser used
- Referring websites and Organisation/User IDs
However, the company noted that OpenAI has since removed Mixpanel from its production services and is currently notifying all impacted organisations, admins, and users directly. The company emphasises that no sensitive data, such as chat logs, passwords, API keys, payment details, or government IDs, were compromised.In its blog post, OpenAI wrote: “Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel. Beyond Mixpanel, we are conducting additional and expanded security reviews across our vendor ecosystem and are elevating security requirements for all partners and vendors.”
OpenAI’s security advice to affected users
The company advised users that the information involved in this incident could be used in phishing or social engineering attacks against you or your organisation. Since names, email addresses, and OpenAI API details (such as user IDs) were included, users have been advised to stay alert for messages that appear legitimate but may be fraudulent. They have been reminded to:
- Be cautious with unexpected emails or messages, especially those containing links or attachments.
- Verify that any message claiming to be from OpenAI is sent from an official OpenAI domain.
- Note that OpenAI does not ask for passwords, API keys, or verification codes through email, text, or chat.
- Strengthen account security by enabling multi-factor authentication.
Leave a Reply