Product analytics and event-tracking solutions provider Mixpanel recently disclosed a security incident that they detected on November 8. The company characterized the breach as a “smishing campaign” and assured the public that only a “limited number of customers” had been affected. In response to the intrusion, Mixpanel promptly secured the compromised accounts, rotated credentials, revoked active sessions, reset employee passwords, and blocked identified malicious IP addresses. However, the company chose not to release any technical details regarding the nature of the cyberattack or the method of intrusion.
OpenAI, one of the affected customers of the analytics provider, has been more forthcoming with details regarding the scope and impact of the incident. The prominent artificial intelligence company utilizes Mixpanel for web analytics to gain insights into product usage, specifically to enhance its API product, which is hosted at platform.openai.com. The AI giant has explicitly stated that its own infrastructure remained secure and that there was no unauthorized access to any of its core systems. Furthermore, OpenAI emphasized that their passwords, API keys, payment details, account credentials, and government IDs were not compromised.
The company provided clear reassurances that the breach did not affect its main consumer product, stating, “Users of ChatGPT and other products were not impacted.” This also extends to the most sensitive data associated with the AI service, as the breach did not compromise ChatGPT chat content, user prompts, generated responses, or API usage data. Despite these important limitations, the attacker successfully exfiltrated a specific dataset that contained “limited customer identifiable information and analytics information.”
The stolen information is specifically tied to user profiles on the platform.openai.com service. The data included users’ names and email addresses, as well as an approximate geographical location inferred from the user’s browser, such as the city, state, and country. Technical details were also compromised, including the user’s operating system and browser type, their specific organization or user ID, and the referring website that led them to the platform.
OpenAI is now warning its affected users about the potential misuse of this exposed data. The company has highlighted that while the stolen information is limited, it is exactly the type of dataset that could be highly valuable to malicious actors for carrying out sophisticated phishing and targeted social engineering attacks. Users should exercise caution and remain vigilant for any suspicious communications that attempt to leverage this exposed profile information.
Reference:
