- OpenAI apologizes for the data breach that affected one of its partners
- Mixpanel, a data analytics company used by OpenAI, has had its systems hacked
- The details disclosed apply to software developers using the OpenAI development platform and not to regular chatgpt users.
OpenAI has apologized for a data breach involving one of its partners that resulted in the loss of some emails, user locations and telemetry data.
The third party in question is Mixpanel, a data analytics company that uses OpenAI with its portal platform.openai.com. This is the OpenAI development platform (used by software developers to integrate AI features into their products), for which Mixpanel has enabled web analytics.
It is important to note that this is not a breach related to ChatGPT, but rather to the analytics company, which is completely independent of OpenAI. The details disclosed apply only to software developers, not regular ChatGPT users, as OpenAI clarified in its post. full statement on this topic (discovered by central window).
This statement raises a number of concerns that, as you can imagine, begin when people see headlines about a “ChatGPT data breach” and panic that their user data, or perhaps even their private ChatGPT conversations, may have been leaked.
OpenAI tells us: “Users of ChatGPT and other products were not affected.”
“This is not a breach of OpenAI systems. No conversations, API requests, API usage data, passwords, credentials, API keys, payment data, or government credentials have been compromised or exposed.”
What was revealed then?
OpenAI says the Mixpanel Systems breach “involved limited analytics data from some API users,” so only some developers on that platform were affected.
OpenAI contacts affected individuals and the information disclosed includes specific user profile information, including the following:
- Name specified in API account
- Email address associated with the API account
- Approximate location based on API user’s browser (city, state, country)
- Operating system and browser used to access the API account
- Reference pages
- User or organization ID associated with the API account
OpenAI again makes it clear that “OpenAI passwords, API keys, payment information, government IDs, and all developer account information are not affected.”
Is there a risk of unintended consequences or new revelations?
OpenAI assures us: “While we have found no evidence of impact on systems or data outside of the Mixpanel environment, we continue to closely monitor any signs of abuse.”
This does not completely rule out the possibility that other problems may arise in the ongoing OpenAI research, but it seems very likely that the problems will come from software developers.
What is OpenAI doing about it?
OpenAI is clearly taking this incident seriously and Mixpanel’s services have been suspended. OpenAI also says that in light of the incident, it is “making enhanced security assessments across our vendor ecosystem” and “raising security requirements” for all of its partners. This suggests that OpenAI is exercising its own judgment in hiring this particular partner.
Given that there are sure to be concerns about OpenAI’s wider impact even if the breach wasn’t its fault, it seems like a sensible move for OpenAI to assess the other companies it works with in light of this latest breach.
No need to worry, but here’s a safety reminder.
Hopefully, what OpenAI has reported here will represent the full extent of the breach once the incident investigation is complete. This won’t bring much comfort to those affected, but as already mentioned, they should only be software developers using the OpenAI API platform.
Due to the limited nature of the breach, OpenAI itself does not recommend that developers reset their passwords.
However, in the mini-FAQ at the end of the statement, OpenAI recommends that all users enable multi-factor authentication (MFA) for their accounts if they haven’t already, even if developer account credentials were not affected by the security breach. This is simply because, as a best security measure, MFA should be used on all online accounts, if available.
If you add an authentication step beyond entering your password, such as receiving a code via text message to your phone, you have built-in security that prevents someone trying to compromise your account from logging in if your username and password information becomes public.