Jon Woodard’s class action lawsuit alleges that the companies violated their duty to safeguard user data, and it seeks damages and injunctive relief requiring improved security measures, Bloomberg Law reported Monday.
OpenAI disclosed the security incident in a Wednesday (Nov. 26) blog post, saying the incident occurred within Mixpanel’s systems, involved limited analytics data related to some users of OpenAI’s application programming interface (API) product, and did not impact users of ChatGPT and other products.
OpenAI used Mixpanel for web analytics on the front-end interface for the AI startup’s API product, using the company’s services to help understand product usage and improve the product, according to the post.
“This was not a breach of OpenAI’s systems,” the post said. “No chat, API requests, API usage data, passwords, credentials, API keys, payment details or government IDs were compromised or exposed.”
The data exported from Mixpanel during the breach may have included the user’s name, email address, and organization or user IDs associated with the API account; the approximate coarse location based on API user browser; the operating system and browser used to access the API account; and the referring websites, per the post.
Mixpanel published its response to the security incident a day later, in a Thursday (Nov. 27) blog post, saying it detected a smishing campaign on Nov. 8 and promptly contained and eradicated unauthorized access and secured impacted user accounts.
“We proactively communicated with all impacted customers,” the post said.
OpenAI said in its blog post that after reviewing the security incident, it terminated its use of Mixpanel and is conducting expanded security reviews across its vendor ecosystem.
“Since names, email addresses and OpenAI API metadata (e.g., user IDs) were included, we encourage you to remain vigilant for credible-looking phishing attempts or spam,” the company told users in its post.
Verizon reported in May that 30% of data breaches that occurred during the year ended Oct. 31, 2024, involved third parties such as suppliers, vendors, hosting partners and outsourced IT support providers that act as custodians to companies’ data and underpin critical parts of those organizations’ operations.
It was reported in September that experts predict that the number of cyberattacks on companies’ third-party suppliers will increase this year.
Source: https://www.pymnts.com/
