I _hate_ how this is written. At no point does it disclose explicitly:

* What systems were accessed

* What information was potentially exposed

* Just how "proactively" they've been about this (no timeline)

* Numbers... The scale of any of it

---

Some comments from quoted portions of article

> Mixpanel detected a smishing campaign ...

Doesn't give any details on who the companion targeted, or how, or how widespread.

> We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts.

So there was definitely _some_ sort of unauthorized access, but doesn't say to which accounts or in what systems

> Performed global password resets for all Mixpanel employees

So... definitely sounds like they expected compromise of Mixpanel employee credentials

    Yes.

I find it it incredible how much worse this article is compared to OpenAI’s article [0]

Mixpanel certainly has more info than OpenAI, yet has determined to share far less with the public. This reflects very poorly on them as a company.

[0] https://openai.com/index/mixpanel-incident/

Bit of a trial-by-fire for the brand-new CEO. Her pick was announced September 3rd, and two months later on November 9th this hit her desk.

I'm extremely confused by Mixpanel announcement, according to their blog post if you received an email from them it implies you were affected, yet I closed my account with them few months ago and I still received their email, which I can't understand if my account was impacted or no

> As a valued customer, we wanted to inform you about a recent security incident that affected a limited number of Mixpanel user accounts. We have proactively communicated with all impacted customers. If we did not previously contact you, your Mixpanel accounts were not impacted. We continue to prioritize security as a core tenant of our company, products and services. We are committed to supporting our customers and communicating transparently about this incident.

> datePublished":"2025-11-27T04:39:29.000Z

Considering they were aware of this on the 8th (who knows how long that was after it actually happened) it's a little disappointing that they'd wait until the day before such a major holiday to post about it. Unsurprising sure, but still disappointing.

What an opportune day to let everyone know this critical information!

Does that mean Mixpanel stock/valuation goes up because OpenAI uses them? That's how it works now is it?

This post gives me the ick as the kids say.

This is a good example of "your vendor is your attack surface" becoming the security lesson of 2025.

The pattern keeps repeating: Trust vendor → Vendor gets breached → Your users' data exposed. And the cascading effect here is notable - Mixpanel breach → OpenAI API users exposed → Those users likely reused credentials elsewhere.

For sensitive operations, the takeaway is clear: minimize what you share with third parties. If your credentials never leave your machine in the first place, they can't be exfiltrated from a vendor breach.

The old model of "trust but verify" feels increasingly outdated. The new model probably needs to be "verify or don't share."

“(We) are working closely with Mixpanel and other partners to fully understand the incident and its scope”

So they don’t know yet how bad this is.

The title here is misleading. The original article does not state breach and at no point have Mixpanel used that term.

Smishing is a new term for me.. Had to look it up actually. For anyone else

> Smishing is a cyber-attack that targets individuals through SMS (Short Message Service) or text messages. The term is a combination of “SMS” and “phishing.”

It was SMS Phishing, a.k.a. Social Engineering.

It anything, it’s opposite of breach.

The email from OpenAI is actually better:

Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel’s systems and involved limited analytics data related to your API account.

This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.

What happened On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.

What this means for you User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to: Name that was provided to us on the API account Email address associated with the API account Approximate coarse location based on API user browser (city, state, country) Operating system and browser used to access the API account Referring websites Organization or User IDs associated with the API account Our response As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope. We are in the process of notifying impacted organizations, admins, and users directly. While we have found no evidence of any effect on systems or data outside Mixpanel’s environment, we continue to monitor closely for any signs of misuse.

Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.

Beyond Mixpanel, we are conducting additional and expanded security reviews across our vendor ecosystem and are elevating security requirements for all partners and vendors.

What you should keep in mind The information that may have been affected here could be used as part of phishing or social engineering attacks against you or your organization.

Since names, email addresses, and OpenAI API metadata (e.g., user IDs) were included, we encourage you to remain vigilant for credible-looking phishing attempts or spam. As a reminder: Treat unexpected emails or messages with caution, especially if they include links or attachments. Double-check that any message claiming to be from OpenAI is sent from an official OpenAI domain. OpenAI does not request passwords, API keys, or verification codes through email, text, or chat. Further protect your account by enabling multi-factor authentication. The security and privacy of our products are paramount, and we remain resolute in protecting your information and communicating transparently when issues arise. Thank you for your continued trust in us.

For more information about this incident and what it means for impacted users, please see our blog post here.

Please contact your account team or mixpanelincident@openai.com if you have any questions or need our support.

OpenAI

Does this win the award of the least transparent disclosure ever? It is not clear from this what happened, whether data was leaked, how many of their customers were affected, what kind of "attack" it is, whether this was due to "SMS" or their security (or lack of).

Email from OpenAI: Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel’s systems and involved limited analytics data related to your API account.

This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.

What happened On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.

What this means for you User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to: Name that was provided to us on the API account Email address associated with the API account Approximate coarse location based on API user browser (city, state, country) Operating system and browser used to access the API account Referring websites Organization or User IDs associated with the API account

So did an Mixpanel employee get phished or were Mixpanel customer accounts targeted, thus an OpenAI employee fell for it?

It's a suspicious post, why would you make a post if attackers are performing a sms phishing, that happens all the time.

Try Pendo instead…

@sama has raised lots of $ so why risk these types of issues by outsourcing what you have the funding to build and control in-house? plausible deniability? (similar with their prev? use of auth0)

Smushing is actually a pretty good name for this.

What kind of notification is this? No actual information is conveyed. It's so vague you might as well not write it

I don't understand. I was assured that ChatGPT is AGI by Sam Altman. Why are security breaches still happening? Surely with several hundred billion dollars investment and access to AGI, they could use ChatGPT agents to create their own product analytics platform that is robust and resilient against such a trivial attack rather than selling off users' personal data to a third party.