It turns out that OpenAI users' email addresses and location information have been leaked, and personal information of API users has been leaked via data analysis services

OpenAI has announced that personal information, including names, email addresses, and location information of some users, has been leaked. The leak was caused by a security incident at Mixpanel , a data analysis service used by OpenAI, and OpenAI's systems themselves were not attacked.

What to know about a recent Mixpanel security incident | OpenAI
https://openai.com/index/mixpanel-incident/

Mixpanel is a service that analyzes user product usage, and OpenAI used Mixpanel to analyze usage of its API products. It was discovered that Mixpanel was illegally accessed from a third party on November 9, 2025, resulting in the external exposure of datasets containing customer identifying information and analytical information. OpenAI shared details of the affected data with Mixpanel on November 25, 2025, and publicly disclosed the attack on November 26, 2025.

The potentially leaked data includes:
・API user name
・API user email address
- Location information (country, state, city, etc.) obtained from the API user's browser
- The OS and browser used by the API user
・Reference website
- User ID or organization ID associated with the API account

OpenAI is in the process of notifying affected organizations and individuals, has discontinued use of Mixpanel, and has conducted extensive security reviews of other products it uses.

Because the leaked information included names, email addresses, and user IDs, affected users are at risk of phishing attacks posing as OpenAI employees. OpenAI states, 'OpenAI will never ask you to disclose information such as passwords, API keys, or authentication codes via email or text,' and urges users to take the following measures:

Be wary of unexpected emails and messages, especially those containing links or attachments.
Double-check the domain of any message claiming to be from OpenAI
・Enable multi-factor authentication

Please note that the leaked information does not include passwords or API keys, and it is not recommended to change passwords or API keys.