Yes, if you accidentally push grandma and her wheelchair over a cliff you probably wouldn’t refer to it as “a recent family incident”. In particular the fourth word, a single letter ‘a’, immediately got my back up. The vagueness and defensiveness of the whole post feels very dismissive and inhuman.
”Out of transparency and our desire to share with our community…” also reminds me when I get a refund that is prefixed with ”as a one-time gesture of goodwill…” instead of ”sorry, we made a mistake”.
I believe the proper term for this kind of "as a one-time gesture of goodwill" is "ex gratia", and is more-or-less a standard form for compensation without admitting liability.
Yes - I have the same intuition. But it may also just be u fortunate timing and obligations. Sometimes companies have requirements from customers to notify them within some time period following a breach.
And it looks like many companies got affected because their data was stolen via gainsight. The hackers said they plan to ask the companies for ransoms.
I was looking for all the same information immediately. I can't remember the last time I saw a breach notice that didn't specify what details were exposed.
Yikes, Mixpanel lost a OpenAI as a customer because of this.
> Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.
Considering they were aware of this on the 8th (who knows how long that was after it actually happened) it's a little disappointing that they'd wait until the day before such a major holiday to post about it. Unsurprising sure, but still disappointing.
I'm extremely confused by Mixpanel announcement, according to their blog post if you received an email from them it implies you were affected, yet I closed my account with them few months ago and I still received their email, which I can't understand if my account was impacted or no
> As a valued customer, we wanted to inform you about a recent security incident that affected a limited number of Mixpanel user accounts. We have proactively communicated with all impacted customers. If we did not previously contact you, your Mixpanel accounts were not impacted. We continue to prioritize security as a core tenant of our company, products and services. We are committed to supporting our customers and communicating transparently about this incident.
If that is true, then the data impacted was likely account data, as we also got the email and yet we are only just starting the integration work, and we dont have events in there yet.
It doesn't seem that confusing. The blog post says that they "proactively communicated with all impacted customers" not that they've only emailed impacted customers. Recieving an email doesn't imply you were affected, just that the lack of all email saying "you were affected" means you were not impacted by this event.
In the event you had closed your account a year ago they may have deleted your information from their systems. No way for you to be impacted, but also no way to tell you that, so the lack of the email is the message in that case.
The fact an email was sent from their system implies they kept at least the email. from there one could assume they may have kept more data than the email, I would also be confused, especially if I only was emailed after the incident
> In the event you had closed your account a year ago they may have deleted your information from their systems.
Given what I know about data life cycle implementations there is a very good chance that that data was still there unless the GP explicitly requested it be deleted.
Companies tend to hang on to all kinds of data that they shouldn't have.
The fact that they received an email is a first indication that it wasn't deleted.
If you are EU based (or other equivalent country with decent data protection laws) there may be a GDPR complaint with them not deleting your data after closing your account under the right to be forgotten
Email from OpenAI: Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel’s systems and involved limited analytics data related to your API account.
This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.
What happened
On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.
What this means for you
User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to:
Name that was provided to us on the API account
Email address associated with the API account
Approximate coarse location based on API user browser (city, state, country)
Operating system and browser used to access the API account
Referring websites
Organization or User IDs associated with the API account
To be fair to OpenAI, their privacy policy[0] does provide some detail. They don't mention Mixpanel explicitly, but OpenAI does mention they share your information with third-party web analytics services:
> To assist us in meeting business operations needs and to perform certain services and functions, we may disclose Personal Data to vendors and service providers, including providers of ... web analytics services ...
OpenAI likely provides this disclosure to comply with US state privacy laws, but it's inaccurate to say they didn't disclose that they won't share your information
Does this win the award of the least transparent disclosure ever? It is not clear from this what happened, whether data was leaked, how many of their customers were affected, what kind of "attack" it is, whether this was due to "SMS" or their security (or lack of).
Smishing is a new term for me.. Had to look it up actually. For anyone else
> Smishing is a cyber-attack that targets individuals through SMS (Short Message Service) or text messages. The term is a combination of “SMS” and “phishing.”
in practice: "hey man, this is Josh from OpenAI, can you disable 2FA on my account josh@openai.com ? I changed my phone and am abroad for a bit, thanks"
Readit News
* What systems were accessed
* What information was potentially exposed
* Just how "proactively" they've been about this (no timeline)
* Numbers... The scale of any of it
---
Some comments from quoted portions of article
> Mixpanel detected a smishing campaign ...
Doesn't give any details on who the companion targeted, or how, or how widespread.
> We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts.
So there was definitely _some_ sort of unauthorized access, but doesn't say to which accounts or in what systems
> Performed global password resets for all Mixpanel employees
So... definitely sounds like they expected compromise of Mixpanel employee credentials
”Out of transparency and our desire to share with our community…” also reminds me when I get a refund that is prefixed with ”as a one-time gesture of goodwill…” instead of ”sorry, we made a mistake”.
I’m sorry IF you were offended… vs
I’m sorry I made offensive remarks. It hurt you and I am truly sorry.
What to know about a recent Mixpanel security incident Transparency is important to us...
They're so much transparent that they leaked PII to Mixpanel...
https://news.ycombinator.com/item?id=46065585
https://news.ycombinator.com/item?id=46071239
And it looks like many companies got affected because their data was stolen via gainsight. The hackers said they plan to ask the companies for ransoms.
Deleted Comment
Mixpanel certainly has more info than OpenAI, yet has determined to share far less with the public. This reflects very poorly on them as a company.
[0] https://openai.com/index/mixpanel-incident/
> Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.
Considering they were aware of this on the 8th (who knows how long that was after it actually happened) it's a little disappointing that they'd wait until the day before such a major holiday to post about it. Unsurprising sure, but still disappointing.
https://www.theregister.com/2025/09/16/china_1hour_cyber_rep...
https://privacymatters.dlapiper.com/2025/09/china-new-strict...
Deleted Comment
> As a valued customer, we wanted to inform you about a recent security incident that affected a limited number of Mixpanel user accounts. We have proactively communicated with all impacted customers. If we did not previously contact you, your Mixpanel accounts were not impacted. We continue to prioritize security as a core tenant of our company, products and services. We are committed to supporting our customers and communicating transparently about this incident.
In the event you had closed your account a year ago they may have deleted your information from their systems. No way for you to be impacted, but also no way to tell you that, so the lack of the email is the message in that case.
Given what I know about data life cycle implementations there is a very good chance that that data was still there unless the GP explicitly requested it be deleted.
Companies tend to hang on to all kinds of data that they shouldn't have.
The fact that they received an email is a first indication that it wasn't deleted.
Dead Comment
This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.
What happened On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.
What this means for you User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to: Name that was provided to us on the API account Email address associated with the API account Approximate coarse location based on API user browser (city, state, country) Operating system and browser used to access the API account Referring websites Organization or User IDs associated with the API account
> To assist us in meeting business operations needs and to perform certain services and functions, we may disclose Personal Data to vendors and service providers, including providers of ... web analytics services ...
OpenAI likely provides this disclosure to comply with US state privacy laws, but it's inaccurate to say they didn't disclose that they won't share your information
[0] https://openai.com/policies/privacy-policy/
> Has Mixpanel been removed from OpenAI products?
> Yes.
https://openai.com/index/mixpanel-incident/
> Smishing is a cyber-attack that targets individuals through SMS (Short Message Service) or text messages. The term is a combination of “SMS” and “phishing.”