Deutsche Telekom’s streaming service, MagentaTV, has been caught up in a large-scale data exposure incident after researchers discovered an unsecured server revealing more than 324 million user log entries. The leak was traced back to a third-party ad delivery platform used by MagentaTV and may have remained publicly accessible for several months before being secured.
Unprotected Elasticsearch Instance Behind the Leak
The issue came to light in mid-June 2025 when the Cybernews research team identified an unprotected Elasticsearch instance hosted by Serverside.ai, a server-side ad insertion (SSAI) platform. The leaked data stemmed entirely from MagentaTV, which is operated by Deutsche Telekom, Europe’s largest telecom company.
Serverside.ai is owned by Equativ, a French adtech firm. According to the researchers, the data exposure was likely open since at least early February 2025. It was removed from public view after the research team contacted the company in June.
Scale and Nature of the Exposed MagentaTV Data
While the majority of the 729GB worth of data consisted of non-sensitive information, a significant portion of the logs contained identifiable technical data about MagentaTV users. Every user interaction with the platform created HTTP headers, many of which were captured in the exposed logs.
Although MagentaTV reportedly serves around 4.4 million users, the unprotected instance included over 324 million log entries, receiving between 4 to 18 million new logs daily.
Some of the compromised data points include:
- IP addresses
- MAC addresses
- Session IDs
- Customer IDs
- User-agent details
These data types include device identifiers, network details, and session information that, if cross-referenced or combined with other breached data, could enable targeted attacks or tracking of users.
Cybersecurity Risks and Potential Abuse
While no direct exploitation of the leaked data has been reported, the researchers highlighted several risks. The exposed information could theoretically allow session hijacking or tracking of individual users, particularly if combined with older breach data.
“In theory, HTTP headers, including customer IDs and session IDs, could be used for session hijacking, allowing attackers to log into customer accounts without needing to know any personal account information or passwords. However, in the real world, additional security measures preventing such session hijacking were likely in place,” the Cybernews team explained.
They also noted that MagentaTV devices are manufactured by a Chinese OEM, which can sometimes be more vulnerable to security flaws. These devices, sold under Deutsche Telekom branding, were the primary access point for the platform, adding another layer of concern.
“This leaked information would be immensely helpful to attackers exploiting devices by revealing their IP addresses, and the exposed customer IDs could also aid cybercriminals in attacks, depending on the specific exploit being used,” the researchers added.
Timeline of the Incident
- Leak discovered: June 18, 2025
- Initial disclosure and CERT contacted: June 18, 2025
- Leak secured: July 22, 2025
At the time of writing, Deutsche Telekom has not responded to requests for comment.
