Yes, if you accidentally push grandma and her wheelchair over a cliff you probably wouldn’t refer to it as “a recent family incident”. In particular the fourth word, a single letter ‘a’, immediately got my back up. The vagueness and defensiveness of the whole post feels very dismissive and inhuman.
”Out of transparency and our desire to share with our community…” also reminds me when I get a refund that is prefixed with ”as a one-time gesture of goodwill…” instead of ”sorry, we made a mistake”.
I believe the proper term for this kind of "as a one-time gesture of goodwill" is "ex gratia", and is more-or-less a standard form for compensation without admitting liability.
Yes - I have the same intuition. But it may also just be u fortunate timing and obligations. Sometimes companies have requirements from customers to notify them within some time period following a breach.
And it looks like many companies got affected because their data was stolen via gainsight. The hackers said they plan to ask the companies for ransoms.
Yikes, Mixpanel lost a OpenAI as a customer because of this.
> Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.
Considering they were aware of this on the 8th (who knows how long that was after it actually happened) it's a little disappointing that they'd wait until the day before such a major holiday to post about it. Unsurprising sure, but still disappointing.
I'm extremely confused by Mixpanel announcement, according to their blog post if you received an email from them it implies you were affected, yet I closed my account with them few months ago and I still received their email, which I can't understand if my account was impacted or no
> As a valued customer, we wanted to inform you about a recent security incident that affected a limited number of Mixpanel user accounts. We have proactively communicated with all impacted customers. If we did not previously contact you, your Mixpanel accounts were not impacted. We continue to prioritize security as a core tenant of our company, products and services. We are committed to supporting our customers and communicating transparently about this incident.
If that is true, then the data impacted was likely account data, as we also got the email and yet we are only just starting the integration work, and we dont have events in there yet.
It doesn't seem that confusing. The blog post says that they "proactively communicated with all impacted customers" not that they've only emailed impacted customers. Recieving an email doesn't imply you were affected, just that the lack of all email saying "you were affected" means you were not impacted by this event.
In the event you had closed your account a year ago they may have deleted your information from their systems. No way for you to be impacted, but also no way to tell you that, so the lack of the email is the message in that case.
The fact an email was sent from their system implies they kept at least the email. from there one could assume they may have kept more data than the email, I would also be confused, especially if I only was emailed after the incident
> In the event you had closed your account a year ago they may have deleted your information from their systems.
Given what I know about data life cycle implementations there is a very good chance that that data was still there unless the GP explicitly requested it be deleted.
Companies tend to hang on to all kinds of data that they shouldn't have.
The fact that they received an email is a first indication that it wasn't deleted.
If you are EU based (or other equivalent country with decent data protection laws) there may be a GDPR complaint with them not deleting your data after closing your account under the right to be forgotten
Mixpanel’s post is very poorly written. This is basically a textbook example of how not to handle this situation.
The OpenAI disclosure is a better summary of what happened than Mixpanel is stating directly.
Looks like OpenAI has fired Mixpanel as a product over this issue:
“We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.”
That’s a pretty damning statement about a vendor that you don’t see written often publicly like that.
Smishing is a new term for me.. Had to look it up actually. For anyone else
> Smishing is a cyber-attack that targets individuals through SMS (Short Message Service) or text messages. The term is a combination of “SMS” and “phishing.”
in practice: "hey man, this is Josh from OpenAI, can you disable 2FA on my account josh@openai.com ? I changed my phone and am abroad for a bit, thanks"
This is a good example of "your vendor is your attack surface" becoming the security lesson of 2025.
The pattern keeps repeating: Trust vendor → Vendor gets breached → Your users' data exposed. And the cascading effect here is notable - Mixpanel breach → OpenAI API users exposed → Those users likely reused credentials elsewhere.
For sensitive operations, the takeaway is clear: minimize what you share with third parties. If your credentials never leave your machine in the first place, they can't be exfiltrated from a vendor breach.
The old model of "trust but verify" feels increasingly outdated. The new model probably needs to be "verify or don't share."
> It was SMS Phishing, a.k.a. Social Engineering... it’s opposite of breach.
A social engineering attack that enables an attacker to gain unauthorized access to Mixpanel's systems and export a dataset containing names, user IDs, location data, and email addresses sounds exactly like a breach to me.
> Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information
Does this win the award of the least transparent disclosure ever? It is not clear from this what happened, whether data was leaked, how many of their customers were affected, what kind of "attack" it is, whether this was due to "SMS" or their security (or lack of).
Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel’s systems and involved limited analytics data related to your API account.
This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.
What happened
On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.
What this means for you
User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to:
Name that was provided to us on the API account
Email address associated with the API account
Approximate coarse location based on API user browser (city, state, country)
Operating system and browser used to access the API account
Referring websites
Organization or User IDs associated with the API account
Our response
As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope. We are in the process of notifying impacted organizations, admins, and users directly. While we have found no evidence of any effect on systems or data outside Mixpanel’s environment, we continue to monitor closely for any signs of misuse.
Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.
Beyond Mixpanel, we are conducting additional and expanded security reviews across our vendor ecosystem and are elevating security requirements for all partners and vendors.
What you should keep in mind
The information that may have been affected here could be used as part of phishing or social engineering attacks against you or your organization.
Since names, email addresses, and OpenAI API metadata (e.g., user IDs) were included, we encourage you to remain vigilant for credible-looking phishing attempts or spam. As a reminder:
Treat unexpected emails or messages with caution, especially if they include links or attachments.
Double-check that any message claiming to be from OpenAI is sent from an official OpenAI domain.
OpenAI does not request passwords, API keys, or verification codes through email, text, or chat.
Further protect your account by enabling multi-factor authentication.
The security and privacy of our products are paramount, and we remain resolute in protecting your information and communicating transparently when issues arise. Thank you for your continued trust in us.
For more information about this incident and what it means for impacted users, please see our blog post here.
Please contact your account team or mixpanelincident@openai.com if you have any questions or need our support.
Email from OpenAI: Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel’s systems and involved limited analytics data related to your API account.
This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.
What happened
On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.
What this means for you
User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to:
Name that was provided to us on the API account
Email address associated with the API account
Approximate coarse location based on API user browser (city, state, country)
Operating system and browser used to access the API account
Referring websites
Organization or User IDs associated with the API account
To be fair to OpenAI, their privacy policy[0] does provide some detail. They don't mention Mixpanel explicitly, but OpenAI does mention they share your information with third-party web analytics services:
> To assist us in meeting business operations needs and to perform certain services and functions, we may disclose Personal Data to vendors and service providers, including providers of ... web analytics services ...
OpenAI likely provides this disclosure to comply with US state privacy laws, but it's inaccurate to say they didn't disclose that they won't share your information
@sama has raised lots of $ so why risk these types of issues by outsourcing what you have the funding to build and control in-house? plausible deniability? (similar with their prev? use of auth0)
Sam Altman is a con man and certainly the definition of evil. He's certainly not head of engineering so it's not even upto him, not that he's even capable of making such a decision
I don't understand. I was assured that ChatGPT is AGI by Sam Altman. Why are security breaches still happening? Surely with several hundred billion dollars investment and access to AGI, they could use ChatGPT agents to create their own product analytics platform that is robust and resilient against such a trivial attack rather than selling off users' personal data to a third party.
Theoretically speaking, payment could take the form of data as part of an enterprise agreement on rates charged. Notably, the OpenAI API privacy policy specifically states...
> We may also aggregate or de-identify Personal Data so that it no longer identifies you and use this information for the purposes described above, such as to analyze the way our Services are being used, to improve and add features to them, and to conduct research. We will maintain and use de-identified information in de-identified form and not attempt to reidentify the information, unless required by law.
The fact that Mixpanel has this data in non-de-identified form is suspect to me. Granted, my entire comment was clearly tongue-in-cheek. Although I think it's possible that OpenAI is selling this data to get a discount on Mixpanel usage, in reality I understand that the more likely explanation is that whoever was responsible for managing this data is completely and totally incompetent.
I _hate_ how this is written. At no point does it disclose explicitly:
* What systems were accessed
* What information was potentially exposed
* Just how "proactively" they've been about this (no timeline)
* Numbers... The scale of any of it
---
Some comments from quoted portions of article
> Mixpanel detected a smishing campaign ...
Doesn't give any details on who the companion targeted, or how, or how widespread.
> We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts.
So there was definitely _some_ sort of unauthorized access, but doesn't say to which accounts or in what systems
> Performed global password resets for all Mixpanel employees
So... definitely sounds like they expected compromise of Mixpanel employee credentials
Yes, if you accidentally push grandma and her wheelchair over a cliff you probably wouldn’t refer to it as “a recent family incident”. In particular the fourth word, a single letter ‘a’, immediately got my back up. The vagueness and defensiveness of the whole post feels very dismissive and inhuman.
”Out of transparency and our desire to share with our community…” also reminds me when I get a refund that is prefixed with ”as a one-time gesture of goodwill…” instead of ”sorry, we made a mistake”.
Weasel words.
I’m sorry IF you were offended… vs
I’m sorry I made offensive remarks. It hurt you and I am truly sorry.
1 reply →
I believe the proper term for this kind of "as a one-time gesture of goodwill" is "ex gratia", and is more-or-less a standard form for compensation without admitting liability.
Yes, the OpenAI disclosure about the same incident is much better https://openai.com/index/mixpanel-incident/
Much better ?
What to know about a recent Mixpanel security incident Transparency is important to us...
They're so much transparent that they leaked PII to Mixpanel...
Same for CoinTracker; more detailed than the original -- https://news.ycombinator.com/item?id=46065208
HN discussion of OpenAI’s notice about this Mixpanel situation:
https://news.ycombinator.com/item?id=46065585
2 replies →
It makes you wonder if Mixpanel would have disclosed this if not for OpenAI more or less forcing them to.
Announcing the breach on Thanksgiving day was also certainty calculated.
Yes - I have the same intuition. But it may also just be u fortunate timing and obligations. Sometimes companies have requirements from customers to notify them within some time period following a breach.
1 reply →
I got a much more informative disclosure the day before from Open AI.
Yup, seems they had more information than Mixpanel is willing to share with the public. Here is the email about this event as described by OpenAI: https://gist.github.com/embedding-shapes/e5ac6168dbc32a0762b...
1 reply →
Also, I had never heard the word "smishing" before. I don't get what's different from "normal" phishing.
The difference is it's delivered via SMS, and someone wanted to sound cool.
2 replies →
Phishing via sms
Just wait until you hear about quishing!
but they registered the IOCs in their SIEM platform, so no way this will happen again
WTF? IDK...
Expect the worst.
Related, Gainsight - some other customer analytics thing - was also breached. See here:
https://news.ycombinator.com/item?id=46071239
And it looks like many companies got affected because their data was stolen via gainsight. The hackers said they plan to ask the companies for ransoms.
I find it it incredible how much worse this article is compared to OpenAI’s article [0]
Mixpanel certainly has more info than OpenAI, yet has determined to share far less with the public. This reflects very poorly on them as a company.
[0] https://openai.com/index/mixpanel-incident/
Yikes, Mixpanel lost a OpenAI as a customer because of this.
> Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.
Cointracker sent virtually the same email 3h earlier fww, Openai either adapted from their template or another one.
> datePublished":"2025-11-27T04:39:29.000Z
Considering they were aware of this on the 8th (who knows how long that was after it actually happened) it's a little disappointing that they'd wait until the day before such a major holiday to post about it. Unsurprising sure, but still disappointing.
This is in breach of the 72hr GDPR notification window
China’s is even more stringent at 4 hours, down to 1 hour for high-severity incidents:
https://www.theregister.com/2025/09/16/china_1hour_cyber_rep...
https://privacymatters.dlapiper.com/2025/09/china-new-strict...
1 reply →
Only the supervisory authorities are required to be informed in 72 hour, and even there, it's not a hard rule, you can have excuses.
this is for the regulator or governing body, not public. Most big clients will have an explicit reporting window in their contract though
I'm extremely confused by Mixpanel announcement, according to their blog post if you received an email from them it implies you were affected, yet I closed my account with them few months ago and I still received their email, which I can't understand if my account was impacted or no
> As a valued customer, we wanted to inform you about a recent security incident that affected a limited number of Mixpanel user accounts. We have proactively communicated with all impacted customers. If we did not previously contact you, your Mixpanel accounts were not impacted. We continue to prioritize security as a core tenant of our company, products and services. We are committed to supporting our customers and communicating transparently about this incident.
Closing your account doesn't automatically mean they wiped all your data. If you got the email, your data was impacted.
If that is true, then the data impacted was likely account data, as we also got the email and yet we are only just starting the integration work, and we dont have events in there yet.
It doesn't seem that confusing. The blog post says that they "proactively communicated with all impacted customers" not that they've only emailed impacted customers. Recieving an email doesn't imply you were affected, just that the lack of all email saying "you were affected" means you were not impacted by this event.
In the event you had closed your account a year ago they may have deleted your information from their systems. No way for you to be impacted, but also no way to tell you that, so the lack of the email is the message in that case.
The fact an email was sent from their system implies they kept at least the email. from there one could assume they may have kept more data than the email, I would also be confused, especially if I only was emailed after the incident
> In the event you had closed your account a year ago they may have deleted your information from their systems.
Given what I know about data life cycle implementations there is a very good chance that that data was still there unless the GP explicitly requested it be deleted.
Companies tend to hang on to all kinds of data that they shouldn't have.
The fact that they received an email is a first indication that it wasn't deleted.
If you are EU based (or other equivalent country with decent data protection laws) there may be a GDPR complaint with them not deleting your data after closing your account under the right to be forgotten
Really only if you ask for your data to be deleted too
[dead]
Does that mean Mixpanel stock/valuation goes up because OpenAI uses them? That's how it works now is it?
> FAQ
> Has Mixpanel been removed from OpenAI products?
> Yes.
https://openai.com/index/mixpanel-incident/
Hard to tell if that's a temporary or permanent step
1 reply →
In the email they sent to users it's clear they don't use them anymore
Is it? I read that they disabled mixpanel while the incident was ongoing?
2 replies →
Mixpanel’s post is very poorly written. This is basically a textbook example of how not to handle this situation.
The OpenAI disclosure is a better summary of what happened than Mixpanel is stating directly.
Looks like OpenAI has fired Mixpanel as a product over this issue:
“We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.”
That’s a pretty damning statement about a vendor that you don’t see written often publicly like that.
Smishing is a new term for me.. Had to look it up actually. For anyone else
> Smishing is a cyber-attack that targets individuals through SMS (Short Message Service) or text messages. The term is a combination of “SMS” and “phishing.”
in practice: "hey man, this is Josh from OpenAI, can you disable 2FA on my account josh@openai.com ? I changed my phone and am abroad for a bit, thanks"
If you are a smaller business, you don't need those enterprise solutions, something like self-hosted PostHog/UXWizz/Matomo should be more than enough.
No reason to send your data to other companies.
This is a good example of "your vendor is your attack surface" becoming the security lesson of 2025.
The pattern keeps repeating: Trust vendor → Vendor gets breached → Your users' data exposed. And the cascading effect here is notable - Mixpanel breach → OpenAI API users exposed → Those users likely reused credentials elsewhere.
For sensitive operations, the takeaway is clear: minimize what you share with third parties. If your credentials never leave your machine in the first place, they can't be exfiltrated from a vendor breach.
The old model of "trust but verify" feels increasingly outdated. The new model probably needs to be "verify or don't share."
The title here is misleading. The original article does not state breach and at no point have Mixpanel used that term.
"A security incident" is a nicer way of saying "security breach" once you run it through legal counsel.
The article you're reading states...
"We took comprehensive steps to _contain_ and eradicate unauthorized access"
That's a breach my friend.
That's a mixpanel breach if the unauthorised access was mixpanel staff accounts.
If someone phishes your gmail account, there is no gmail breach.
1 reply →
For context: https://news.ycombinator.com/item?id=46065208 CoinTracker’s
Well OpenAI say users' names, emails and locations have been divulged, one of them is going to accept there was a "breach"
OpenAI was sending that data to MixPanel. If anything, OpenAI is culprit for sensitive data leak. There’s absolutely no reason to send that data.
5 replies →
If Mixpanel is subprocessor of GDPR'd data from OpenAI, OpenAI is obliged to notify affected European customers about the data breach within 72hrs.
4 replies →
It says "customers were impacted" and that they had to work to "eradicate unauthorized access"
It's just a very weazel-worded disclosure. Most definitely a breach.
What an opportune day to let everyone know this critical information!
This post gives me the ick as the kids say.
I got the email and just seen the blog post. A little confused, what data was stolen? Event data?
It was SMS Phishing, a.k.a. Social Engineering.
It anything, it’s opposite of breach.
> It was SMS Phishing, a.k.a. Social Engineering... it’s opposite of breach.
A social engineering attack that enables an attacker to gain unauthorized access to Mixpanel's systems and export a dataset containing names, user IDs, location data, and email addresses sounds exactly like a breach to me.
That is not how it works.
A breach is unauthorized disclosure, the mechanism through which it is achieved is not relevant to that classification.
An employee that walks out with a file would also be classified as a breach, even if no systems got compromised from the outside.
> Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information
Read before you blindly comment
Bit of a trial-by-fire for the brand-new CEO. Her pick was announced September 3rd, and two months later on November 9th this hit her desk.
“(We) are working closely with Mixpanel and other partners to fully understand the incident and its scope”
So they don’t know yet how bad this is.
Here's some of the biggest mobile apps using mixpanel:
https://appgoblin.info/companies/mixpanel.com
It's a suspicious post, why would you make a post if attackers are performing a sms phishing, that happens all the time.
Possibly because OpenAI have just made a post stating there has been a breach https://openai.com/index/mixpanel-incident/ and implicating Mixpanel as the cause
But I thought the submitted title was misleading and there's no breach? You seem unsure.
I also just received an email from OpenAI regarding the incident.
So did an Mixpanel employee get phished or were Mixpanel customer accounts targeted, thus an OpenAI employee fell for it?
Does this win the award of the least transparent disclosure ever? It is not clear from this what happened, whether data was leaked, how many of their customers were affected, what kind of "attack" it is, whether this was due to "SMS" or their security (or lack of).
The email from OpenAI is actually better:
Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel’s systems and involved limited analytics data related to your API account.
This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.
What happened On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.
What this means for you User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to: Name that was provided to us on the API account Email address associated with the API account Approximate coarse location based on API user browser (city, state, country) Operating system and browser used to access the API account Referring websites Organization or User IDs associated with the API account Our response As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope. We are in the process of notifying impacted organizations, admins, and users directly. While we have found no evidence of any effect on systems or data outside Mixpanel’s environment, we continue to monitor closely for any signs of misuse.
Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.
Beyond Mixpanel, we are conducting additional and expanded security reviews across our vendor ecosystem and are elevating security requirements for all partners and vendors.
What you should keep in mind The information that may have been affected here could be used as part of phishing or social engineering attacks against you or your organization.
Since names, email addresses, and OpenAI API metadata (e.g., user IDs) were included, we encourage you to remain vigilant for credible-looking phishing attempts or spam. As a reminder: Treat unexpected emails or messages with caution, especially if they include links or attachments. Double-check that any message claiming to be from OpenAI is sent from an official OpenAI domain. OpenAI does not request passwords, API keys, or verification codes through email, text, or chat. Further protect your account by enabling multi-factor authentication. The security and privacy of our products are paramount, and we remain resolute in protecting your information and communicating transparently when issues arise. Thank you for your continued trust in us.
For more information about this incident and what it means for impacted users, please see our blog post here.
Please contact your account team or mixpanelincident@openai.com if you have any questions or need our support.
OpenAI
Email from OpenAI: Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider that OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com). The incident occurred within Mixpanel’s systems and involved limited analytics data related to your API account.
This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.
What happened On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.
What this means for you User profile information associated with use of platform.openai.com may have been included in data exported from Mixpanel. The information that may have been affected was limited to: Name that was provided to us on the API account Email address associated with the API account Approximate coarse location based on API user browser (city, state, country) Operating system and browser used to access the API account Referring websites Organization or User IDs associated with the API account
Of course if transparency really was important to them they would have disclosed this prior to sending your private information off to mixpanel...
To be fair to OpenAI, their privacy policy[0] does provide some detail. They don't mention Mixpanel explicitly, but OpenAI does mention they share your information with third-party web analytics services:
> To assist us in meeting business operations needs and to perform certain services and functions, we may disclose Personal Data to vendors and service providers, including providers of ... web analytics services ...
OpenAI likely provides this disclosure to comply with US state privacy laws, but it's inaccurate to say they didn't disclose that they won't share your information
[0] https://openai.com/policies/privacy-policy/
Yeah they really shouldn't be sharing PII with mixpanel there's no need.
1 reply →
@sama has raised lots of $ so why risk these types of issues by outsourcing what you have the funding to build and control in-house? plausible deniability? (similar with their prev? use of auth0)
Why would an AI startup waste velocity and money to build their own analytics platform or identity provider?
You would expect them to dogfood and have their own AI write the analytics service for themselves.
1 reply →
you shouldn't try to innovate on everything, have to draw the line on buy/build somewhere
Who is @sama?
Sam Altman.
1 reply →
Sam Altman is a con man and certainly the definition of evil. He's certainly not head of engineering so it's not even upto him, not that he's even capable of making such a decision
Smushing is actually a pretty good name for this.
Try Pendo instead…
What kind of notification is this? No actual information is conveyed. It's so vague you might as well not write it
[dead]
I don't understand. I was assured that ChatGPT is AGI by Sam Altman. Why are security breaches still happening? Surely with several hundred billion dollars investment and access to AGI, they could use ChatGPT agents to create their own product analytics platform that is robust and resilient against such a trivial attack rather than selling off users' personal data to a third party.
> selling off users' personal data to a third party.
You do realize that you pay for Mixpanel right?
Theoretically speaking, payment could take the form of data as part of an enterprise agreement on rates charged. Notably, the OpenAI API privacy policy specifically states...
> We may also aggregate or de-identify Personal Data so that it no longer identifies you and use this information for the purposes described above, such as to analyze the way our Services are being used, to improve and add features to them, and to conduct research. We will maintain and use de-identified information in de-identified form and not attempt to reidentify the information, unless required by law.
The fact that Mixpanel has this data in non-de-identified form is suspect to me. Granted, my entire comment was clearly tongue-in-cheek. Although I think it's possible that OpenAI is selling this data to get a discount on Mixpanel usage, in reality I understand that the more likely explanation is that whoever was responsible for managing this data is completely and totally incompetent.
1 reply →