OpenAI has admitted a security breach at a third-party supplier exposed customer emails, location information, and “limited analytics data related to some users of the API”.
The supplier, Mixpanel, provides data analytics services via OpenAI’s developer platform. OpenAI said the platform is used to help “understand product usage” and improve services for its API product, platform.openai.com.
On 9 November, Mixpanel discovered an attacker gained unauthorized access to systems. They then exfiltrated a dataset containing “limited customer identifiable information and analytics information”.
A full outline of data exposed, per an OpenAI statement on the breach, includes:
- Names provided via Mixpanel API accounts
- Email addresses associated with the API account
- “Aproximate course location based on API user browsers” (including city, state, and country)
- Information on operating systems and browsers used to access the API account
- Referring websites associated with the API account
OpenAI has been keen to stress that the breach only affects developers and not general ChatGPT users. It also said developer credentials – including passwords, payment information, and government IDs – weren’t exposed.
OpenAI added that it’s currently in the process of notifying those affected by the incident.
A swift response from OpenAI
Upon discovery of the breach, OpenAI said it removed Mixpanel from production services and began a review of affected datasets.
While the investigation is still ongoing, the company noted it has so far found “no evidence of any effect on systems or data outside Mixpanel’s environment”.
The company has since terminated its use of the data analytics platform and said it will conduct a review of its broader supplier ecosystem.
“Trust, security, and privacy are foundational to our products, our organisation, and our mission, OpenAI said in a statement. “We also hold our partners and vendors accountable for the highest bar for security and privacy of their services.”
Jake Moore, global cybersecurity advisor at ESET, commended OpenAI for its “swift move” in alerting users and cutting ties with the supplier. Many organizations try to minimize security incidents and keep them “under the radar”, he said.
“Companies often fear the aftermath of an attack and presume it will be brand damaging,” Moore commented. “However, openness is now deemed far more important and speed is usually of the essence in making anyone affected aware of the situation.”
Developers warned to remain vigilant
OpenAI said information exposed in the breach could be used by hackers to carry out future attacks on users and encouraged them to “remain vigilant”.
These types of warnings are common in the wake of a data breach, according to Moore.
“Even though the exposed data was low-sensitivity, it could still be misused in the likes of social engineering techniques or via phishing attacks because attackers could combine the data such as name, email, even approximate location data to craft convincing fraudulent messages,” he explained.
“As within the wake of typical data compromises, those affected need to remain vigilant for suspicious emails or other strange communications.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
TOPICS
