If you get a notification from the ChatGPT provider OpenAI regarding a data breach involving one of its partners, it is probable that your personal data remains secure. Only those with an API account might have faced any impacts. The organization claims it is being open by informing all subscribers, despite the fact that only a limited fraction of them may have been affected.
The organization disclosed this information on its website, highlighting the necessity for transparency concerning a recent security occurrence at Mixpanel, a data analytics service utilized by OpenAI for web analytics on the frontend of its API product.
OpenAI has initiated an investigation to assess the complete extent of the incident. As a precautionary measure, it has discontinued the use of Mixpanel in its production services and is reaching out to organizations, administrators, and individual users directly. While OpenAI emphasizes that it is only API users who are impacted, it has alerted all of its subscribers.
The organization insists that its own systems were not breached and that no general user data was exposed. This incident does not involve a breach of OpenAI’s systems. No chat logs, API requests, API usage data, passwords, credentials, API keys, payment information, or government IDs were compromised or revealed. Even for those with API accounts, only limited data was compromised.
User profile details linked to platform.openai.com usage may have been part of the data exported from Mixpanel. The information that might have been affected was restricted to:
– Name provided to OpenAI on the API account
– Email linked with the API account
– Approximate coarse location based on the API user’s browser (city, state, country)
– Operating system and browser employed to access the API account
– Referring websites
– Organization or User IDs related to the API account
Apple might have been included in the breach, but no customer data will have been revealed.
If you are uncertain about whether you could be affected by this, then the answer is likely no: API account holders will recognize themselves. However, it is encouraging to witness a company being so entirely transparent about a data breach.
