Briefly
Mixpanel stated an attacker accessed a part of its programs and exported customer-identifiable metadata.
OpenAI stated no prompts, API keys, cost info, or authentication tokens have been concerned.
Each firms reviewed the incident, notified affected customers, and outlined new safety steps.
A breach at analytics supplier Mixpanel earlier this month uncovered account names, e-mail addresses, and browser places for some customers of OpenAI’s API, the AI large confirmed Wednesday, elevating issues that cybercriminals may use the stolen metadata in focused phishing makes an attempt.
Based on Mixpanel, on November 8, an unknown attacker gained entry to a part of its programs and exported a dataset containing customer-identifiable metadata and analytics info. The stolen information included usernames, e-mail addresses, approximate browser-based location, working system, and browser particulars.
OpenAI stated the breach didn’t embody customers’ prompts, API keys, cost info, or authentication tokens.
Solely information from customers who accessed OpenAI’s tech by way of the API—aka, by way of exterior apps powered by GPT—was leaked, the corporate stated. In different phrases, in case you entry the ChatGPT chatbot instantly from OpenAI’s web site, then you definately will not be impacted right here.
“As a part of our safety investigation, we eliminated Mixpanel from our manufacturing companies, reviewed the affected datasets, and are working carefully with Mixpanel and different companions to completely perceive the incident and its scope,” OpenAI stated in an announcement.
Based in 2009, the San Francisco-based Mixpanel is a product analytics platform used to trace person habits throughout internet and cellular functions. The corporate stated it detected the “smishing” marketing campaign, and after an preliminary investigation and response, alerted OpenAI the subsequent day.
“We’re dedicated to transparency, and are notifying all impacted prospects and customers,” OpenAI stated. “We additionally maintain our companions and distributors accountable for the very best bar for safety and privateness of their companies.”
Smishing is a kind of phishing assault performed by SMS messages. Based on an October report by infrastructure administration firm Spacelift, smishing accounted for 39% of all cellular threats in 2024.
Mixpanel stated it secured affected accounts, revoked lively periods, rotated compromised credentials, and blocked malicious IP addresses. The corporate additionally reset worker passwords, employed exterior cybersecurity corporations, and reviewed authentication, session, and export logs.
After the breach, Mixpanel stated it started notifying impacted prospects concerning the incident.
“When you have not heard from us instantly, you weren’t impacted,” Mixpanel CEO Jen Taylor stated in an announcement. “We proceed to prioritize safety as a core tenet of our firm, merchandise, and companies. We’re dedicated to supporting our prospects and speaking transparently about this incident.”
Regardless of Mixpanel’s reporting of the incident to OpenAI, the ChatGPT developer stated it was chopping ties with the analytics agency. “After reviewing this incident, OpenAI has terminated its use of Mixpanel,” they wrote.
Some OpenAI prospects took to social media to precise frustration with the revelation {that a} third-party service had entry to their info.
“I am not very completely satisfied about this. […] Why did they must move on my identify and e-mail deal with to Mixpanel?” one person wrote on X. “I’m only a hobbyist making an attempt to make small experiments.”
“OpenAI sending names and emails to a 3rd get together analytics platform (Mixpanel) feels wildly irresponsible,” one other wrote.
OpenAI and Mixpanel didn’t instantly reply to requests for remark by Decrypt.
Typically Clever E-newsletter
A weekly AI journey narrated by Gen, a generative AI mannequin.
