| ▲ | Mixpanel Security Breach(mixpanel.com) |
| 56 points by jaredwiener 2 hours ago | 46 comments |
| |
|
| ▲ | cobertos 37 minutes ago | parent | next [-] |
| I _hate_ how this is written. At no point does it disclose explicitly: * What systems were accessed * What information was potentially exposed * Just how "proactively" they've been about this (no timeline) * Numbers... The scale of any of it --- Some comments from quoted portions of article > Mixpanel detected a smishing campaign ... Doesn't give any details on who the companion targeted, or how, or how widespread. > We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts. So there was definitely _some_ sort of unauthorized access, but doesn't say to which accounts or in what systems > Performed global password resets for all Mixpanel employees So... definitely sounds like they expected compromise of Mixpanel employee credentials |
| |
| ▲ | breppp 28 minutes ago | parent [-] | | but they registered the IOCs in their SIEM platform, so no way this will happen again |
|
|
| ▲ | thinkindie an hour ago | parent | prev | next [-] |
| I'm extremely confused by Mixpanel announcement, according to their blog post if you received an email from them it implies you were affected, yet I closed my account with them few months ago and I still received their email, which I can't understand if my account was impacted or no > As a valued customer, we wanted to inform you about a recent security incident that affected a limited number of Mixpanel user accounts. We have proactively communicated with all impacted customers. If we did not previously contact you, your Mixpanel accounts were not impacted. We continue to prioritize security as a core tenant of our company, products and services. We are committed to supporting our customers and communicating transparently about this incident. |
| |
| ▲ | hennell 27 minutes ago | parent [-] | | It doesn't seem that confusing. The blog post says that they "proactively communicated with all impacted customers" not that they've only emailed impacted customers. Recieving an email doesn't imply you were affected, just that the lack of all email saying "you were affected" means you were not impacted by this event. In the event you had closed your account a year ago they may have deleted your information from their systems. No way for you to be impacted, but also no way to tell you that, so the lack of the email is the message in that case. | | |
| ▲ | jacquesm 21 minutes ago | parent | next [-] | | > In the event you had closed your account a year ago they may have deleted your information from their systems. Given what I know about data life cycle implementations there is a very good chance that that data was still there unless the GP explicitly requested it be deleted. Companies tend to hang on to all kinds of data that they shouldn't have. The fact that they received an email is a first indication that it wasn't deleted. | |
| ▲ | hirako2000 18 minutes ago | parent | prev [-] | | The fact an email was sent from their system implies they kept at least the email. from there one could assume they may have kept more data than the email, I would also be confused, especially if I only was emailed after the incident |
|
|
|
| ▲ | autoexec an hour ago | parent | prev | next [-] |
| > datePublished":"2025-11-27T04:39:29.000Z Considering they were aware of this on the 8th (who knows how long that was after it actually happened) it's a little disappointing that they'd wait until the day before such a major holiday to post about it. Unsurprising sure, but still disappointing. |
| |
|
| ▲ | ares623 an hour ago | parent | prev | next [-] |
| Does that mean Mixpanel stock/valuation goes up because OpenAI uses them? That's how it works now is it? |
| |
|
| ▲ | kevcampb 2 hours ago | parent | prev | next [-] |
| The title here is misleading. The original article does not state breach and at no point have Mixpanel used that term. |
| |
| ▲ | EdwardDiego an hour ago | parent | next [-] | | "A security incident" is a nicer way of saying "security breach" once you run it through legal counsel. The article you're reading states... "We took comprehensive steps to _contain_ and eradicate unauthorized access" That's a breach my friend. | | |
| ▲ | kevcampb 37 minutes ago | parent [-] | | That's a mixpanel breach if the unauthorised access was mixpanel staff accounts. If someone phishes your gmail account, there is no gmail breach. | | |
| ▲ | 9dev 7 minutes ago | parent [-] | | They also reset all passwords of all Mixpanel employees; that surely sounds like either Mixpanel staff accounts were compromised, or the breach was conducted via a staff account. I really don't understand the point in downplaying this shitshow. |
|
| |
| ▲ | willsmith72 2 hours ago | parent | prev | next [-] | | Well OpenAI say users' names, emails and locations have been divulged, one of them is going to accept there was a "breach" | | |
| ▲ | red_Seashell_32 an hour ago | parent | next [-] | | OpenAI was sending that data to MixPanel. If anything, OpenAI is culprit for sensitive data leak. There’s absolutely no reason to send that data. | | |
| ▲ | jacquesm an hour ago | parent | next [-] | | Companies use sub-processors all the time, OpenAI is no different. Unless you want to have everybody get a major case of NIH tomorrow (I wouldn't mind, then we can get rid of third party cookies and all advertising as well while we're at it). Every time a google tag is included on a page a ton of sensitive data gets sent to another party than the one whose website you are visiting. Whether it was wise or not for OpenAI to share this information with Mixpanel is another thing, personally I think they should not have but OpenAI in turn is also used by lots of companies and given their private data and so on. This layercake of trust only needs on party to mess up for a breach to become reality. What I'm interested in is whether or not it was just OpenAI's data that was lifted or also other Mixpanel customers. | |
| ▲ | beAbU 24 minutes ago | parent | prev [-] | | I agree. On all the implementations of Mixpanel that I've been involved in, I've made it a point to not send any PII to Mixpanel. It's not needed for Mixpanel analytics to work, Mixpanel is not a CRM, it does not need customer email and other details. |
| |
| ▲ | bflesch 42 minutes ago | parent | prev [-] | | If Mixpanel is subprocessor of GDPR'd data from OpenAI, OpenAI is obliged to notify affected European customers about the data breach within 72hrs. | | |
| |
| ▲ | cobertos 44 minutes ago | parent | prev | next [-] | | It says "customers were impacted" and that they had to work to "eradicate unauthorized access" It's just a very weazel-worded disclosure. Most definitely a breach. | |
| ▲ | aberoham an hour ago | parent | prev [-] | | For context: https://news.ycombinator.com/item?id=46065585 OpenAI's announcement and https://news.ycombinator.com/item?id=46065208 CoinTracker’s |
|
|
| ▲ | anonymous908213 an hour ago | parent | prev | next [-] |
| I don't understand. I was assured that ChatGPT is AGI by Sam Altman. Why are security breaches still happening? Surely with several hundred billion dollars investment and access to AGI, they could use ChatGPT agents to create their own product analytics platform that is robust and resilient against such a trivial attack rather than selling off users' personal data to a third party. |
| |
| ▲ | weird-eye-issue an hour ago | parent [-] | | > selling off users' personal data to a third party. You do realize that you pay for Mixpanel right? | | |
| ▲ | anonymous908213 43 minutes ago | parent [-] | | Theoretically speaking, payment could take the form of data as part of an enterprise agreement on rates charged. Notably, the OpenAI API privacy policy specifically states... > We may also aggregate or de-identify Personal Data so that it no longer identifies you and use this information for the purposes described above, such as to analyze the way our Services are being used, to improve and add features to them, and to conduct research. We will maintain and use de-identified information in de-identified form and not attempt to reidentify the information, unless required by law. The fact that Mixpanel has this data in non-de-identified form is suspect to me. Granted, my entire comment was clearly tongue-in-cheek. Although I think it's possible that OpenAI is selling this data to get a discount on Mixpanel usage, in reality I understand that the more likely explanation is that whoever was responsible for managing this data is completely and totally incompetent. |
|
|
|
| ▲ | zdmc an hour ago | parent | prev | next [-] |
| @sama has raised lots of $ so why risk these types of issues by outsourcing what you have the funding to build and control in-house? plausible deniability? (similar with their prev? use of auth0) |
| |
| ▲ | 9dev 5 minutes ago | parent | next [-] | | Why would an AI startup waste velocity and money to build their own analytics platform or identity provider? | |
| ▲ | willsmith72 37 minutes ago | parent | prev | next [-] | | you shouldn't try to innovate on everything, have to draw the line on buy/build somewhere | |
| ▲ | udev4096 26 minutes ago | parent | prev | next [-] | | Sam Altman is a con man and certainly the definition of evil. He's certainly not head of engineering so it's not even upto him, not that he's even capable of making such a decision | |
| ▲ | normie3000 39 minutes ago | parent | prev [-] | | Who is @sama? | | |
|
|
| ▲ | red_Seashell_32 2 hours ago | parent | prev | next [-] |
| It was SMS Phishing, a.k.a. Social Engineering. It anything, it’s opposite of breach. |
| |
| ▲ | autoexec an hour ago | parent | next [-] | | > It was SMS Phishing, a.k.a. Social Engineering... it’s opposite of breach. A social engineering attack that enables an attacker to gain unauthorized access to Mixpanel's systems and export a dataset containing names, user IDs, location data, and email addresses sounds exactly like a breach to me. | |
| ▲ | jacquesm an hour ago | parent | prev | next [-] | | That is not how it works. A breach is unauthorized disclosure, the mechanism through which it is achieved is not relevant to that classification. An employee that walks out with a file would also be classified as a breach, even if no systems got compromised from the outside. | |
| ▲ | udev4096 25 minutes ago | parent | prev [-] | | > Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information Read before you blindly comment |
|
|
| ▲ | gotosun an hour ago | parent | prev | next [-] |
| So did an Mixpanel employee get phished or were Mixpanel customer accounts targeted, thus an OpenAI employee fell for it? |
|
| ▲ | kangaroozach 42 minutes ago | parent | prev | next [-] |
| Smushing is actually a pretty good name for this. |
|
| ▲ | jvandenbroeck an hour ago | parent | prev | next [-] |
| It's a suspicious post, why would you make a post if attackers are performing a sms phishing, that happens all the time. |
| |
|
| ▲ | denuoweb an hour ago | parent | prev | next [-] |
| Email from OpenAI: Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel’s systems and involved limited analytics data related to your API account. This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed. What happened
On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us. What this means for you
User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to:
Name that was provided to us on the API account
Email address associated with the API account
Approximate coarse location based on API user browser (city, state, country)
Operating system and browser used to access the API account
Referring websites
Organization or User IDs associated with the API account |
| |
| ▲ | jacquesm 17 minutes ago | parent [-] | | Of course if transparency really was important to them they would have disclosed this prior to sending your private information off to mixpanel... |
|
|
| ▲ | udev4096 28 minutes ago | parent | prev [-] |
| What kind of notification is this? No actual information is conveyed. It's so vague you might as well not write it |
