OpenAI admits data breach after analytics partner hit by phishing attack

OpenAI has suffered a significant data breach after hackers broke into the systems of its analytics partner Mixpanel and successfully stole customer profile information for its API portal, the companies have said in coordinated statements.

According to a post by Mixpanel CEO Jen Taylor, the incident took place on November 8 when the company “detected a smishing campaign and promptly executed our incident response processes.”

Smishing is a form of phishing-by-SMS against targeted employees, popular with hackers because text messages bypass normal enterprise controls. This gave the attackers access to Mixpanel’s system, allowing them to steal a range of metadata relating to platform.openai.com account profiles:

Name provided to OpenAI on the API account 

Email address associated with the API account

Approximate location based on API user browser (city, state, country)

Operating system and browser used to access the API account

Referring websites

Organization or User IDs associated with the API account

“We proactively communicated with all impacted customers. If you have not heard from us directly, you were not impacted,” said Taylor.

According to a separate OpenAI post, Mixpanel shared the affected customer dataset with it on November 25. After review, OpenAI had terminated its use of Mixpanel, it said, implying that this might be permanent.

The incident affects some customers with platform.openai.com accounts, but not users of ChatGPT or other OpenAI products, OpenAI said.

“We are in the process of notifying impacted organizations, admins, and users directly. While we have found no evidence of any effect on systems or data outside Mixpanel’s environment, we continue to monitor closely for any signs of misuse,” OpenAI said.

“This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.”

How should customers react?

There are three levels of concern here: which OpenAI API customers are affected, how attackers might use stolen data if they are, and the possibility, however hypothetical, that more valuable data such as API keys or account credentials could be at risk.

On the first issue, as noted above, both companies have said they have contacted customers caught up in the breach without specifying how many users are affected. OpenAI has set up an email address customers can use if they have further questions: mixpanelincident@openai.com. Mixpanel has set up an equivalent contact address: support@mixpanel.com⁠.

Nevertheless, if decades of data breaches have taught the world anything it’s that companies don’t always know the full extent of a data breach even when they say they do. For that reason, it would be wise for OpenAI customers who have not been contacted to conduct the same security review as those that have.

OpenAI said that customers should be on their guard for phishing attacks targeting breached email addresses and to check that messages that appear to be sent from OpenAI’s domain are genuine. They should also turn on multi-factor authentication (MFA).

If phishing sounds generic, in the context of an API connection the dangers are more specific and include more nuanced fake alerts for things like billing, quota messages, and suspicious logins.

According to OpenAI, there is no need for customers to rotate or reset account credentials or API keys, which attackers could use to steal data or consume services. Despite this, cautious developers are likely to ignore this and rotate and reset credentials because this removes the risk. 

Several organizations involved in API and AI security have offered more detailed breakdowns of recommendations in the light of the OpenAI-Mixpanel incident, including Ox Security, and Dev Community.

Downstream attack surface

OpenAI uses external analytics platforms such as Mixpanel to track how customers interact with models through the API. This includes which models a customer selects plus basic metadata such as location and email ID listed above. It does not track the user ‘payload’, that is chatbot queries and responses being sent to the model from a browser, which are encrypted.  

The latest incident underlines that the security of the primary platform is only one part of the risk: secondary platforms and partners are a backdoor that can expose even careful organizations, as some Salesforce customers have seen with data breaches at its partner Salesloft.

The attack surface exposed by AI platforms is bigger than it looks, a security and governance challenge enterprises should assess before jumping in with both feet.