OpenAI Alerts Users to Mixpanel API Data Breach
▼ Summary
– OpenAI notified API users that some data was exposed due to a breach at its analytics supplier Mixpanel.
– The breach occurred on November 9, and exposed data includes names, email addresses, approximate locations, and technical details of API users.
– OpenAI confirmed its core products like ChatGPT, chat content, API usage data, and sensitive credentials were not compromised.
– OpenAI has removed Mixpanel from its services, is notifying affected users, and enhancing security reviews across its vendor ecosystem.
– OpenAI warned that the exposed data could be used for phishing and advised users to remain vigilant against social engineering attacks.
OpenAI has issued a notification to its API users regarding a potential data exposure stemming from a security incident at Mixpanel, its third-party analytics provider. The company clarified that this event did not involve a breach of its own internal systems.
According to a blog post published on November 26, an unauthorized individual managed to access a segment of Mixpanel’s infrastructure. This intrusion resulted in the export of a specific dataset containing certain customer-identifiable and analytics details. The incident’s origin traces back to November 9. Mixpanel provided the dataset to OpenAI on November 25 after concluding its own internal review.
Users who accessed the platform.openai.com website or utilized the OpenAI API may find their information was part of the data exported from Mixpanel. The types of data potentially involved include the name and email address linked to the API account, an approximate location derived from the user’s browser (such as city, state, or country), the operating system and browser type used, referring websites, and the associated Organization or User IDs.
Crucially, OpenAI emphasized that its other services, including ChatGPT, were not affected. The company stated definitively that no chat histories, API requests, API usage statistics, passwords, login credentials, API keys, payment information, or government identification documents were compromised or exposed in this event.
In response, OpenAI has taken steps to remove Mixpanel from its live production services. The AI firm is also actively assisting the analytics provider with its ongoing security investigation. Notifications have begun to be sent out to users and organizations that might have been impacted.
Beyond addressing this specific incident, OpenAI announced it is performing additional and more rigorous security assessments across its entire network of vendors. The company is also implementing stricter security standards for all its partners and third-party suppliers.
Mixpanel operates as an analytics service that monitors how users interact with applications and websites. OpenAI had employed its services specifically to gain insights into product usage patterns for its API, aiming to enhance and improve those services.
A separate report from OX Security, published on November 27, detailed the kind of information Mixpanel is typically configured to gather. This often encompasses the current page a user is viewing, their operating system, browser name and version, the website they came from, a device identifier, the page title, the user’s email and name, location data like country, whether an adblocker is installed, and screen dimensions. It is important to note that the exact data collected can differ from one website to another, as each entity customizes its own analytics setup.
OpenAI has warned that the most probable misuse of this exposed data would be for phishing or social engineering campaigns. The company advises anyone who believes their API data may have been involved to exercise increased caution against convincing phishing emails and spam messages. Users are encouraged to adopt robust security best practices to protect their accounts.
(Source: Info Security)
