Why SMBs Are Being Phished More Than Ever in 2025
Adversaries shifted from 'deploy malware and wait' to 'trick a human and walk in.' The 5 threat actors weaponizing social engineering against SMBs — and how to build a phish-resilient culture.

On November 26, 2025, OpenAI disclosed that customer information tied to its API platform was exposed due to a security breach at Mixpanel, an analytics vendor OpenAI used to track developer-portal usage.
To be clear: OpenAI itself was not breached. No API keys, passwords, payment information, or ChatGPT chat logs were accessed. But the leaked data did include names tied to API accounts, email addresses, approximate location (city, state, country), browser metadata and OS details, organization or user IDs, and referring URLs. The incident also touched a limited number of ChatGPT users who submitted help-center tickets or were logged into platform.openai.com — not just API accounts.
Individually these feel harmless. Collectively, they're a blueprint attackers use to impersonate vendors, service providers, or "OpenAI Support" with frightening accuracy. OpenAI responded by removing Mixpanel from its production services, terminating the relationship, and launching expanded security reviews across its vendor ecosystem.
SMBs underestimate how dangerous "non-confidential" metadata is. As offensive operators, we know exactly how it gets weaponized.
Metadata builds credible phishing lures. Knowing your name, email, company, and location lets an attacker write: "Your OpenAI API usage in Dallas, TX triggered a rate-limit enforcement. Please verify your credentials." That kind of spear-phish bypasses gut instincts because it feels personal and relevant.
SMBs get hit via vendor imitation. Attackers love impersonating SaaS vendors, cloud platforms, billing providers, analytics tools, and support teams. With real metadata tied to real accounts, they don't need to guess — they craft subjects, usernames, and APIs the victim actually uses.
Third-party risk is the new frontline. Even if OpenAI is secure, a vendor like Mixpanel becomes the weak link. The breach didn't have to expose confidential data to still fuel sophisticated campaigns.
Modern attacks aren't about breaching the big target. They're about breaching the vendor ecosystem, collecting metadata, and weaponizing trust. Your risk isn't limited to what you store — it includes what your vendors store about you. Metadata is not harmless. Metadata is ammunition.
Want help evaluating your vendor exposure? We red-team your actual attack surface — including the partners and SaaS vendors that store data about you.