Ask AI
Help Center
How can we help? 👋
All Categories
Security & Legal Fine Print
2025-11 Mixpanel, OpenAI Security Incident

2025-11 Mixpanel, OpenAI Security Incident

Out in the interest of transparency, ORCA wants to inform you about a recent security incident involving Mixpanel, a third-party analytics provider.

As of Nov 2025, Mixpanel is used 1) by ORCA and 2) by OpenAI, ORCA’s AI-provider.

We want to reassure you that no ORCA client data, platform data, or internal systems were compromised.

What happened

On November 8–9, 2025, Mixpanel detected unauthorized access to part of their systems. During that incident, an attacker exported a dataset containing limited customer-identifiable information and analytics metadata belonging to a subset of Mixpanel customers.

ORCA received the communication from Mixpanel that ORCA’s account was not affected.

OpenAI, which utilized Mixpanel for web analytics on its API platform, was among the organizations whose analytics data was included in the exported dataset. OpenAI was notified by Mixpanel, conducted its own security investigation, and shared information about the incident with its customers.

What this means for ORCA

To be clear:

  • ORCA’s data in Mixpanel were not affected.
  • No ORCA data was directly included in the breach at Mixpanel.

However, because ORCA is a customer of OpenAI, some ORCA-associated metadata that OpenAI collected for analytics—held within Mixpanel’s systems—may have been part of the dataset Mixpanel reported as compromised.

Based on OpenAI’s investigation, the potentially exposed information is limited to:

  • Name provided on ORCA’s OpenAI API account,
  • Email address associated with ORCA’s OpenAI API account (this is ORCA’s internal email),
  • Approximate coarse location based on the browser used (city, state, country),
  • Operating system and browser metadata,
  • Referring websites,
  • Organization or user IDs associated with the OpenAI API account

Importantly, no client data, API keys, passwords, authentication tokens, payment information, ORCA data, prompts, model inputs, model outputs, or any ORCA platform information were affected.

This incident was confined to Mixpanel’s environment. See OpenAI statement.

Actions taken by OpenAI and Mixpanel

Mixpanel

  • Detected and contained the incident
  • Revoked compromised sessions, reset credentials, and blocked malicious activity
  • Performed global password resets for all Mixpanel employees
  • Engaged external cybersecurity experts and law enforcement
  • Conducted full forensic reviews and implemented additional protections

OpenAI

  • Removed Mixpanel from all OpenAI production systems
  • Reviewed the affected dataset
  • Initiated direct notification to impacted customers
  • Found no evidence of misuse outside Mixpanel’s environment
  • Elevated security requirements across all vendors

ORCA

  • Reviewed the details provided by OpenAI and Mixpanel
  • Monitoring for any signs of misuse involving ORCA-associated information
  • Confirmed no ORCA systems or client data were affected
  • Continuing to enforce and strengthen strong internal security controls
  • Coordinating with OpenAI and Mixpanel for any future updates relevant to our clients

We’re here to support you

If you have questions or concerns regarding this incident, please reach out to us directly at privacy@withorca.com. We will continue to communicate transparently and share any new information that may emerge.

Did this answer your question?
😞
😐
🤩
Contact Us | support@withorca.com