OpenAI says “limited identifying information”(Name, e-mail, location, etc) for ChatGPT API customers was exposed after a breach at Mixpanel, who detected a smishing campaign on November 8, the company said.
The incident affected “limited analytics data related to some users of the API,” OpenAI said. The company stressed that the breach did not affect ChatGPT or other OpenAI products, even though it literally did.
“This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed,” OpenAI says in a press release.
OpenAI uses Mixpanel’s event analytics to track user interactions on the API frontend. The information OpenAI received about the affected dataset came on November 25, after Mixpanel informed OpenAI of its ongoing investigation.
The company said exposed fields may include:
- Name provided on the API account
- Email address associated with the API account
- Approximate location based on API user browser (city, state, country)
- Operating system and browser used to access the API account
- Referring websites
- Organization or User IDs associated with the API account
Some users reported that CoinTracker, a cryptocurrency portfolio tracker and tax platform, was also impacted. Reported exposed CoinTracker data reportedly included device metadata and a limited transaction count.
OpenAI has opened its own investigation to determine the full scope of the incident. As a precaution, the company removed Mixpanel from its production services and began notifying organizations, administrators, and individual users directly. While OpenAI said only API users were impacted, it notified all subscribers.
The company warned the leaked data could be leveraged for phishing or social-engineering attacks and advised users to watch for credible-looking malicious messages related to the incident. It recommended verifying messages that contain links or attachments to ensure they originate from an official OpenAI domain.
“The company also urges users to enable 2FA and never send sensitive information, including passwords, API keys, or verification codes, through email, text, or chat.”
Mixpanel confirmed the attack “impacted a limited number of our customers” and traced the breach to an SMS phishing campaign. Mixpanel’s CEO, Jen Taylor, said that all impacted customers have been contacted directly. “If you have not heard from us, you were not impacted,” she noted.
In response, Mixpanel said it secured affected accounts, revoked active sessions and sign-ins, rotated compromised credentials, blocked the threat actor’s IP addresses, and reset passwords for all employees. The company added it has implemented new controls intended to prevent similar incidents in the future.
Source: Bleepingcomputer