Citing a significant supply chain failure, OpenAI has severed ties with analytics provider Mixpanel after a security breach exposed customer metadata. Hackers gained unauthorized access to sensitive logs after targeting a Mixpanel employee with a smishing (SMS phishing) attack.
While OpenAI confirmed that no AI models or authentication keys were stolen, the exposed dataset includes names, emails, and location information for Application Programming Interface (API) customers.
Cryptocurrency platforms CoinTracker and CoinLedger were also impacted, signaling a targeted campaign against the vendor’s tech clientele.
Promo
Anatomy of a Smishing Attack
Triggered by a targeted campaign, the security failure began when smishing attacks successfully compromised a Mixpanel employee’s credentials. Mixpanel’s security update confirms that the company’s security operations center identified the threat on November 8, 2025.
Despite this detection, the attackers managed to pivot into the internal environment. Unauthorized access to the specific systems containing customer data occurred on November 9, allowing the threat actors to export sensitive logs. Jen Taylor, CEO of Mixpanel, explained the initial response sequence.
Following the containment of the compromised account, the analytics firm initiated a comprehensive cleanup operation to secure its perimeter.
This involved revoking active sessions and forcing a credential refresh across the entire organization to ensure no persistent backdoors remained. According to the company’s incident report, these measures were designed to completely sever the attacker’s access.
A critical delay occurred between the initial breach and the notification of affected clients.
While the exfiltration took place on November 9, Mixpanel did not inform OpenAI of the specific dataset contents until November 25, leaving a 16-day window where the exposed data was potentially in the wild before customers could be warned.
Metadata Exposure: The Hidden Risks
Emphasizing the containment of the threat, OpenAI’s own disclosure clarifies the distinction between the vendor-side compromise and its own infrastructure security.
“This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.”
However, the theft of metadata can be just as damaging as the loss of credentials, as it provides a blueprint for high-fidelity social engineering.
By combining names, email addresses, and usage patterns, attackers can craft highly convincing spear-phishing emails that bypass standard spam filters. Logs retrieved from the compromised instance reveal a detailed profile of the user base, that may have been included in data exported from Mixpanel:
- “Name that was provided to us on the API account
- Email address associated with the API account
- Approximate coarse location based on API user browser (city, state, country)
- Operating system and browser used to access the API account
- Referring websites
- Organization or User IDs associated with the API account”
Compounding the severity of the breach is the inclusion of Organization IDs and referring websites. These fields allow threat actors to map the corporate structure of OpenAI’s enterprise clients, potentially facilitating future business email compromise (BEC) attacks.
Supply Chain Fallout and Collateral Damage
The response to the breach was immediate and punitive. In a move that shows the growing intolerance for vendor-induced risk, OpenAI permanently ended its business relationship with the analytics provider.
Forensic evidence suggests the intrusion was part of a broader campaign targeting Mixpanel’s cryptocurrency and technology clientele.
Reports of impacted crypto platforms indicate that portfolio trackers CoinTracker and CoinLedger also suffered data exposure, with attackers potentially seeking transaction summaries or wallet associations.
Just found out that CoinLedger was using Mixpanel too and they’re also affected by the data leak.
They gave out your First and Last Name additionally if you set it in their profile (which you probably did, because you’d need it for a tax report).
Targeted phishing will rise. https://t.co/WLWsnriiJw pic.twitter.com/CzgkqEWgQu
— WiiMee (@wiimee) November 27, 2025
Regarding the scope of the incident, Mixpanel-CEO Jen Taylor sought to reassure the broader customer base about the containment measures.
“If you have not heard from us directly, you were not impacted.”
This incident highlights the fragility of the modern software supply chain, where a single vendor compromise can cascade across multiple major platforms. For enterprise IT leaders, the breach serves as a reminder how third-party integrations often represent the weakest link in an organization’s security posture.