Data analytics provider Mixpanel experienced a security breach that resulted in the exposure of account information belonging to certain OpenAI PBC users.

The ChatGPT developer disclosed the incident on Wednesday.

Mixpanel offers an analytics platform bearing its name, enabling companies to gather data on how users interact with their applications. The tool tracks metrics such as customer retention, uptime, and performance. At the time of the breach, OpenAI was using Mixpanel to collect data on how developers engaged with its applications.

Mixpanel detected the incident on November 8. The company confirmed that attackers used SMS-based phishing messages to compromise internal systems and gain access to customer data. OpenAI was among the affected clients.

Shortly after identifying the breach, Mixpanel notified the ChatGPT developer. On Tuesday, the analytics provider shared a copy of the dataset accessed by hackers from its API platform with OpenAI, which then began informing impacted users whose information appeared in the dataset.

According to the ChatGPT developer, the attackers obtained names, email addresses, and geographic locations of some API users. Technical metadata was also exposed, including details about the operating systems and browsers used by affected customers to access OpenAI’s API. However, the company emphasized that payment information and API prompts were not compromised.

In a blog post, OpenAI stated that customers do not need to reset passwords or rotate encryption keys. Nevertheless, the company warned that threat actors could leverage the stolen data to launch phishing campaigns.

In response to the breach, OpenAI has removed Mixpanel from its systems. Moving forward, it plans to collaborate with the analytics provider and other partners to conduct a deeper investigation. Additionally, OpenAI intends to enforce stricter cybersecurity requirements for its vendors.

“The Mixpanel incident demonstrates that even trusted analytics tools can inadvertently expose sensitive data if they aren’t continuously validated,” said Mayur Upadhyaya, CEO of APIContext Inc., a provider of API testing and monitoring solutions. “In a machine-first world, you can’t fix what you can’t see. Observability must extend to every API, webhook, and third-party integration.”

It remains unclear which other Mixpanel clients, beyond OpenAI, were affected by this breach. According to Mixpanel’s website, the company serves over 29,000 customers, including numerous major technology firms. Mixpanel stated it has secured the impacted accounts, reset employee passwords, and blocked IP addresses associated with the threat actors.

To date, data breaches involving large language model providers like OpenAI have been extremely rare. While threat actors have occasionally exploited these models to carry out cyberattacks, OpenAI and its competitors have implemented defensive measures specifically designed to mitigate such threats.