A breach at data analytics provider Mixpanel Inc. has compromised the account information of some OpenAI Group PBC users.
The ChatGPT developer disclosed the incident on Wednesday.
Mixpanel’s namesake analytics platform enables companies to collect data about how users interact with their applications. The software tracks metrics such as customer retention, uptime and performance. At the time of the breach, OpenAI used Mixpanel to collect data about developer interactions with its application programming interfaces.
Mixpanel detected the incident on November 8. The company determined that hackers had used an SMS phishing message to compromise some of its internal systems and gain access to customer data. OpenAI was one of the affected customers.
Mixpanel notified the ChatGPT developer of the incident shortly after uncovering it. On Tuesday, the analytics provider gave OpenAI a copy of the dataset that the hackers accessed from its API platform. OpenAI subsequently began notifying the users whose information appeared in the dataset.
The ChatGPT developer says that hackers accessed some API users’ names, email addresses and locations. The breach also compromised certain technical data, including what operating system and browser each affected customer used to access OpenAI’s APIs. According to the company, the hackers didn’t access customer payment details or the prompts sent to its APIs.
OpenAI stated in a blog post that customers don’t need to reset their passwords or rotate their encryption keys. However, the company cautioned that the hackers could use the stolen information to launch phishing attacks.
OpenAI has removed Mixpanel from its systems in response to the breach. Going forward, it will work with the analytics provider and “other partners” to further investigate the incident. OpenAI also plans to roll out stricter cybersecurity requirements for suppliers.
“The Mixpanel incident shows how even trusted analytics tools can inadvertently leak sensitive data if not continuously validated,” said Mayur Upadhyaya, chief executive of API testing and monitoring provider APIContext Inc. “In a machine-first world, you can’t fix what you can’t see. Observability must extend across every API, webhook and third-party integration.”
It’s unclear what other Mixpanel customers besides OpenAI are affected by the breach. The analytics provider’s website states that it has more than 29,000 customers including numerous major tech firms. Mixpanel says that it has secured the accounts affected by the breach, reset its employees’ passwords and blocked the threat actor’s IP addresses.
Data breaches involving major large language model providers such as OpenAI have been few and far between so far. However, threat actors occasionally use their models to launch hacking campaigns. OpenAI and its rivals have implemented guardrails designed to block such cyberattacks.
Image: OpenAI
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About News Media
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
