MagentaTV, Deutsche Telekom’s TV and streaming platform, leaked user data via an ad delivery platform. Our researchers believe the data, including user IP and MAC addresses, was accessible for several months before the company secured the leak.
The Cybernews research team uncovered the leak in mid-June this year after discovering an unprotected Elasticsearch instance hosted by Serverside.ai, a server‑side ad insertion (SSAI) platform. According to the team, all the data on the exposed instance originated from MagentaTV, a video streaming aggregator platform owned by Deutsche Telekom (DT).
The German telecoms company is Europe’s largest, operating several subsidiaries and the T-Mobile brand. Meanwhile, Serverside.ai is owned by Equativ, a French adtech company.
Researchers believe that the instance was publicly accessible at least since early February 2025, with the company taking it away from public view after our team contacted it in June. We have reached out to DT for comment and will update the article once we receive a reply.
What details did the MagentaTV data leak involve?
While the majority of the information accessible via the exposed instance could be considered non-sensitive, some of the leaked logs contained HTTP headers from requests sent by MagentaTV customers. Every time users interact with the platform, a request with an HTTP header is created.
While third-party sources estimate that MagentaTV has a user base of 4.4 million individuals, the exposed instance held over 324 million log entries, which amounted to a whopping 729GB of data. Moreover, researchers claim that the exposed instance received new log entries every day, with anywhere from 4 to 18 million logs being added daily.
According to the team, while most of the data was not sensitive, some user data was exposed in the leak, including:
- IP addresses
- MAC addresses
- Session IDs
- Customer IDs
- User agents
In other words, the exposed details included unique internet connection identifiers, hardware identifiers, unique user account numbers, and data about a MagentaTV customer’s device. Theoretically, attackers could utilize leaked data to track user locations, identify them, and direct targeted attacks against specific devices. However, researchers believe attackers would need to work to abuse the leaked data for nefarious purposes.
“In theory, HTTP headers, including customer IDs and session IDs, could be used for session hijacking, allowing attackers to log into customer accounts without needing to know any personal account information or passwords. However, in the real world, additional security measures preventing such session hijacking were likely in place,” our researchers explained.
Another risk to MagentaTV customers stems from potential cross-referencing. For example, attackers could use the leaked data and compare it against information from older data leaks. Since IP addresses are commonly present in leaked data, this could help malicious actors identify MagentaTV’s users.
The team’s investigation has also revealed that MagentaTV service was mainly accessed by TV boxes sold by DT, which is in line with the streaming aggregator being owned by the German telecom giant. MagentaTV devices were made by a Chinese original equipment manufacturer (OEM) and later resold under the DT-friendly brand. The team believes that such OEM devices are often more susceptible to vulnerabilities, which adds to the MagentaTV data leak’s precariousness.
“This leaked information would be immensely helpful to attackers exploiting devices by revealing their IP addresses, and the exposed customer IDs could also aid cybercriminals in attacks, depending on the specific exploit being used,” the team explained.
- Leak discovered: June 18th, 2025
- Initial disclosure: June 18th, 2025
- Cert contacted: June 18th, 2025
- Leak closed: July 22nd, 2025
Your email address will not be published. Required fields are markedmarked