OpenAI users exposed by supply-chain attack

Breach of analytics provider Mixpanel exposed data of API users

OpenAI has reported the exposure of data belonging to users of one of its APIs, via the breach of a third-party vendor.

The potential breach does not affect users of ChatGPT, according to OpenAI, but rather those accessing its services via its platform.openai.com API. These users may have had names, email addresses, approximate location, OS and browser, referring websites and organisation leaked.

The breach resulted from an attack on third-party analytics provider Mixpanel, used by OpenAI to monitor usage of the API. The attack was spotted by Mixpanel on 9^th November and the company then shared data with the AI giant.

In a blog post OpenAI said: “As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope.”

It added: “No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.”

OpenAI says it is in the process of contacting anyone affected, urging vigilance against possible phishing attempts using stolen data.

At this stage, it is hard to ascertain the seriousness of this breach, but it is yet another example of a supply chain attack, adding to the list of such incidents this year including M&S, Harrods, Coop and JLR, starting with an assault on third-party software.

OpenAI does not publish the number of users of its APIs, but analysts from SQ Magazine estimate that more than 2.1 million developers were actively building on the OpenAI platform as of Q2 2025.

Ben Schilz, CEO of secure communications firm Wire, commented that it feeds into the narrative around control and sovereignty: “The real story is not the breach of an AI platform. It is the wider problem with today’s software stacks,” he said.

“Boardrooms need to start asking which digital dependencies they have inherited and whether the companies they partner with genuinely prioritise sovereignty.”

If you’re a current or aspiring cybersecurity leader check out the Computing Security Leaders Summit on March 26th 2026. Packed with content including business continuity planning, bridging the cyber skills gap and cloud resilience, its promises to be full of insight and practical advice to take away. Register here for your free place.