OpenAI has confirmed a security incident involving a third-party analytics provider, Mixpanel, which resulted in the exposure of limited user data associated with its API platform. It’s not our fault, the company said. However, it’s not that simple.
-
OpenAI has confirmed a security incident involving a third-party analytics provider, Mixpanel, which resulted in the exposure of limited user data associated with its API platform.
-
“This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed,” OpenAI said.
-
But some say OpenAI could have done so much better because it certainly didn't have to send PII into their reporting system. It's actually against best practices.
According to OpenAI, the incident occurred within Mixpanel’s systems and involved limited analytics data related to some users of the API. Users of ChatGPT and other products were allegedly not impacted.
“This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed,” OpenAI said.
OpenAI no longer uses Mixpanel
Mixpanel reportedly became aware of an attacker on November 9th. The threat actor gained unauthorized access to part of its systems and exported a dataset containing limited customer identifiable information and analytics data.
The analytics provider notified OpenAI that they were investigating, and on November 25th, they shared the affected dataset with the AI company.
User profile information associated with the use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to:
- Name that was provided to OpenAI on the API account
- Email address associated with the API account
- Approximate coarse location based on API user browser (city, state, country)
- Operating system and browser used to access the API account
- Referring websites
- Organization or User IDs associated with the API account
After reviewing the incident, OpenAI has terminated its use of Mixpanel and once again pointed out that the breach wasn’t caused by any vulnerabilities in OpenAI’s systems.
“The security and privacy of our products are paramount, and we remain resolute in protecting your information and communicating transparently when issues arise,” the company added for good measure.
“Completely against best practices”
But the devil is in the details. First, this report likely means that other companies using Mixpanel have also been affected.
According to the Cybernews research team, sending unanonymized user data that can be identified was a choice on OpenAI’s part.
And more importantly, as one Reddit user pointed out, OpenAI could have done so much better itself.
“This is so stupid. They did not need to send personally identifiable information into their reporting system. It’s completely against best practices and so easy to avoid,” wrote the user.
“And even IDs shouldn’t be the actual user IDs used for the regular service. It should be an ID just for the reporting.”
Mixpanel actually doesn’t require any identifying information about the user. The company itself says: “You can generate a hash of a unique user ID (such as your internal user ID) and use that hash as the user’s ID.”
According to the Cybernews research team, this means that sending unanonymized user data that can be identified was a choice on OpenAI’s part.
“This was probably done for their own convenience to evaluate their analytics, but it made the exposed data far more valuable to potential attackers than it should have been,” our researchers explained.
For what it’s worth, OpenAI does warn: “The information that may have been affected here could be used as part of phishing or social engineering attacks against you or your organization.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked