This is a good example of "your vendor is your attack surface" becoming the security lesson of 2025.

The pattern keeps repeating: Trust vendor → Vendor gets breached → Your users' data exposed. And the cascading effect here is notable - Mixpanel breach → OpenAI API users exposed → Those users likely reused credentials elsewhere.

For sensitive operations, the takeaway is clear: minimize what you share with third parties. If your credentials never leave your machine in the first place, they can't be exfiltrated from a vendor breach.

The old model of "trust but verify" feels increasingly outdated. The new model probably needs to be "verify or don't share."