OpenAI apologizes for big Mixpanel data breach that exposed emails and more – here's what we know

News
By published

Data analytics firm involved with OpenAI's developer platform was compromised

OpenAI logo on a smartphone screen
(Image credit: Shutterstock / Mehaniq)
  • OpenAI has apologized for a data breach that compromised one of its partners
  • Mixpanel, a data analytics outfit that OpenAI used, had its systems breached
  • The leaked details pertain to software developers using OpenAI's developer platform, and not everyday users of ChatGPT

OpenAI has issued an apology for a data breach suffered by one of its partners that has caused some emails, user locations and telemetry data to be leaked.

Mixpanel is the third-party in question, a data analytics outfit that OpenAI used with its platform.openai.com portal. This is OpenAI's developer platform (used by software developers to integrate AI functionality into their products) for which Mixpanel facilitated web analytics.

It's important to note that this is not a breach related to ChatGPT, but to said analytics company which is entirely separate from OpenAI. The details leaked only relate to software developers, not everyday users of ChatGPT, as OpenAI makes clear in its full statement on the matter (spotted by Windows Central).

That statement covers a number of concerns, which, as you might imagine, start with people seeing headlines about a 'ChatGPT data breach' and panicking that their user details might have been leaked, or maybe even their private conversations with ChatGPT.

OpenAI tells us: "Users of ChatGPT and other products were not impacted.

"This was not a breach of OpenAI's systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed."

What was exposed then?

OpenAI informs us that the breach of Mixpanel's systems "involved limited analytics data related to some users of the API", so only some developers on that platform have been hit.

OpenAI is in the process of contacting those affected, and the details leaked are certain pieces of user profile information, which includes the following:

  • Name that was provided on the API account
  • Email address associated with the API account
  • Approximate coarse location based on API user browser (city, state, country)
  • Operating system and browser used to access the API account
  • Referring websites
  • Organization or User IDs associated with the API account

OpenAI again clarifies that "OpenAI passwords, API keys, payment information, government IDs, and account access credentials were not impacted" for any developers.

Is there a danger of unforeseen repercussions or more revelations to come?

OpenAI assures us: "While we have found no evidence of any effect on systems or data outside Mixpanel's environment, we continue to monitor closely for any signs of misuse."

This doesn't fully rule out that there might be further problems that OpenAI's ongoing investigation could turn up, but it very much seems that any issues are going to lie with software developers here.

OpenAI team sat around a table

(Image credit: OpenAI)

What is OpenAI doing about this?

OpenAI is obviously taking this incident seriously and Mixpanel's services have been terminated. OpenAI also says that it's conducting "expanded security reviews across our vendor ecosystem" in light of the incident and "elevating security requirements" for all its partners. Which suggests that OpenAI acknowledges its failure in judgement in terms of employing this particular partner.

Because there's bound to be some concern over how this reflects on OpenAI more broadly – even though the breach wasn't its fault – it seems a sensible move for OpenAI to go back and vet the other firms that it works with, bearing this recent breach firmly in mind.

Nothing to worry about – but nonetheless, here's a security reminder

Hopefully what's been reported by OpenAI here will be the full extent of the breach after the investigation into the incident has been fully signed off. For those affected, that won't be much of a comfort, but as noted, that should only be software developers who use OpenAI's API platform.

Due to the limited nature of the breach, OpenAI is not recommending that even developers should reset their passwords.

However, in its mini-FAQ at the end of the statement, OpenAI advises that all users should enable multi-factor authentication (MFA) on their accounts if they haven't already, even though developer account details weren't involved in the breach. This is simply because MFA really should be used with any online account you have, where available, as best security practice.

Adding another authentication step on top of entering your password – such as receiving a code by text to your phone – means that if your user and password details are ever leaked, you have a failsafe that prevents someone trying to compromise your account from logging in.

A Dell Tower Plus against a white background
The best computers for all budgets

➡️ Read our full guide to the best computers
1. Best Windows:
Dell Tower Plus
2. Best Mac:
Apple Mac mini M4
3. Best Mac AIO:
Apple iMac 24-inch (M4)

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Darren Allan

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.