OpenAI apologizes for big Mixpanel data breach that exposed emails and more – here’s what we know
- OpenAI apologizes for data breach that compromised one of its partners
- Mixpanel, a data analytics company used by OpenAI, had its systems hacked
- The details disclosed relate to software developers using OpenAI’s development platform, not everyday ChatGPT users.
OpenAI has apologized for a data breach suffered by one of its partners that caused some emails, user locations and telemetry data to be leaked.
The third party in question is Mixpanel, a data analytics company that OpenAI used with its platform.openai.com portal. This is the OpenAI development platform (used by software developers to integrate AI features into their products) for which Mixpanel has facilitated web analytics.
It is important to note that this is not a violation related to ChatGPT, but to said analytics company which is entirely separate from OpenAI. The details disclosed relate only to software developers, not everyday ChatGPT users, as OpenAI makes clear in its full statement on the subject (spotted by Windows Central).
This statement covers a number of concerns which, as you might imagine, start with people seeing headlines about a “ChatGPT data breach” and panicking that their users’ details may have been leaked, or perhaps even their private conversations with ChatGPT.
OpenAI tells us: “Users of ChatGPT and other products have not been impacted.
“This is not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, usernames, API keys, payment details, or government credentials were compromised or exposed.”
What was then exposed?
OpenAI informs us that the breach of Mixpanel’s systems “involved limited analytical data linked to certain API users,” so only certain developers on that platform were affected.
OpenAI is in the process of contacting the affected individuals, and the details disclosed are certain user profile information, including the following:
- Name provided on API account
- Email address associated with the API account
- Approximate location based on API user’s browser (city, state, country)
- Operating system and browser used to access the API account
- Referring sites
- Organization or user IDs associated with the API account
OpenAI again clarifies that “OpenAI passwords, API keys, payment information, government IDs, and account access credentials have not been affected” for any developer.
Is there a danger of unforeseen repercussions or other revelations to come?
OpenAI assures us: “While we have found no evidence of any effect on systems or data outside of the Mixpanel environment, we continue to closely monitor any signs of misuse.”
This doesn’t entirely rule out that there could be other problems with OpenAI’s ongoing investigation, but it seems very likely that any issues will fall to the software developers here.
What is OpenAI doing about this?
OpenAI obviously takes this incident seriously and Mixpanel services have been interrupted. OpenAI also says it is conducting “in-depth security reviews across our entire vendor ecosystem” in light of the incident and the “increasing security requirements” for all of its partners. Which suggests that OpenAI recognizes its failure of judgment in terms of employing this particular partner.
Because there are bound to be concerns about how this reflects on OpenAI more broadly – even if the breach is not its fault – it seems wise for OpenAI to go back and look at the other companies it works with, keeping this recent breach in mind.
It’s nothing to worry about, but here’s a safety reminder nonetheless
Hopefully what has been reported by OpenAI here will be the full extent of the breach once the investigation into the incident is fully signed off. For those affected, this won’t be much comfort, but as noted, this should only be of concern to software developers who use OpenAI’s API platform.
Due to the limited nature of the breach, OpenAI does not even recommend that developers reset their passwords.
However, in its mini-FAQ at the end of the statement, OpenAI advises all users to enable multi-factor authentication (MFA) on their accounts if they haven’t already done so, even if the developer’s account details were not involved in the breach. This is simply because MFA really should be used with any online account you have, when available, as a security best practice.
Adding another authentication step on top of entering your password – like receiving a code via SMS to your phone – means that if your user and password details are ever leaked, you have built-in security that prevents anyone trying to compromise your account from logging in.
The best computers for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
