Key Takeaways
- OpenAI confirmed a data breach affecting ChatGPT users’ personal information
- The breach occurred through third-party analytics provider Mixpanel on November 9
- Only API account users were affected; no chat data or passwords were compromised
OpenAI has revealed a security breach that exposed ChatGPT users’ personal data through unauthorized access to its third-party analytics provider, Mixpanel. The incident occurred on November 9, compromising names, email addresses, location data, operating systems, and browser information of affected users.
What Information Was Compromised?
The stolen data includes users’ names, email addresses, location information, operating system details, and browser data. OpenAI clarified that only users with API access accounts were impacted by this cyber attack.
“This was not a breach of OpenAI’s systems,” the company stated in an official blog post. “No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.”
Security Response and User Advisory
OpenAI has launched a security investigation and removed Mixpanel from its production services. While no evidence of data misuse has been found, the company warned that hackers could use the stolen information for phishing or social engineering attacks.
“We encourage you to remain vigilant for credible-looking phishing attempts or spam,” OpenAI advised users. “The security and privacy of our products are paramount, and we remain resolute in protecting your information.”
Previous Security Incidents
This isn’t the first security issue affecting ChatGPT users since its November 2022 launch. In March 2023, OpenAI took ChatGPT offline after a bug exposed some users’ private details, including partial payment information and chat metadata.
Later in 2023, cybersecurity firm Group-IB reported that over 100,000 devices were infected with malware that stole ChatGPT login credentials. Neither incident involved breaches of OpenAI’s core servers or infrastructure.
Following the latest breach, OpenAI committed to “conducting additional and expanded security reviews” of third-party applications and “elevating security requirements for all partners and vendors.”
