- Tech
Stolen data includes users’ names, email addresses and location data
Anthony CuthbertsonFriday 28 November 2025 15:00 GMTComments
A phone displaying OpenAI’s ChatGPT artificial intelligence logo in Brittany, France on 26 February 2025 (AFP/Getty)
Sign up to our free weekly IndyTech newsletter delivered straight to your inbox
Sign up to our free IndyTech newsletter
Sign up to our free IndyTech newsletter
Email*SIGN UPI would like to be emailed about offers, events and updates from The Independent. Read our Privacy notice
OpenAI has confirmed that a security breach has compromised ChatGPT users’ personal data.
The incident occurred on 9 November, when attackers gained unauthorised access to third-party data analytics provider Mixpanel.
Details stolen include users’ names, email addresses, location data, operating system and the browser they use.
OpenAI said that only users with accounts to access the company’s API interfaces are impacted by the cyber attack.
“This was not a breach of OpenAI’s systems,” OpenAI said in a blog post.
“No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.”
The company said that it is conducting a security investigation and has removed Mixpanel from its production services.
No evidence has been found of the stolen data being misused, though OpenAI warned that hackers could use it as part of phishing or social engineering attacks.
“We encourage you to remain vigilant for credible-looking phishing attempts or spam,” the firm said.
“The security and privacy of our products are paramount, and we remain resolute in protecting your information and communicating transparently when issues arise.”
It is not the first security incident to impact ChatGPT users since OpenAI launched the AI chatbot in November 2022.
The company was forced to take ChatGPT offline in March 2023 after researchers discovered a bug that allowed some users to see the private details of other active users, including partial payment information and some chat metadata.
Later that year, cyber security firm Group-IB reported that more than 100,000 devices had been infected with malware that stole ChatGPT login credentials, including usernames and passwords.
The incident did not involve a breach of OpenAI’s servers or infrastructure.
Following the latest breach, OpenAI said it would be “conducting additional and expanded security reviews” of the third-party apps and services, as well as “elevating security requirements for all partners and vendors.”
More about
OpenAIChatGPTCyber SecurityJoin our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments