Deutsche Telekom’s television and streaming service exposes user data for months through Ad platform leak

MagentaTV, Deutsche Telekom’s television and streaming service, unintentionally exposed user data for several months through an unsecured ad delivery platform, cybersecurity researchers disclosed. The leak involved sensitive metadata such as IP addresses, MAC addresses, session IDs, and customer identifiers, potentially putting millions of users at risk of tracking or targeted cyberattacks.

The breach was discovered in mid-June 2025 by the Cybernews research team, which found an unprotected Elasticsearch database hosted by Serverside.ai, a server-side ad insertion (SSAI) platform. According to researchers, the data originated entirely from MagentaTV, a service owned by Deutsche Telekom, Europe’s largest telecommunications company. Serverside.ai is operated by the French advertising technology company Equativ.

Researchers believe the exposed server had been publicly accessible since at least February 2025. It was taken offline after the research team contacted the responsible parties in June. Deutsche Telekom has not yet provided an official comment on the incident.

While much of the exposed data was considered non-sensitive, the researchers emphasized that logs included HTTP headers from user requests, which could allow attackers to assemble a digital footprint of MagentaTV customers. With repeated daily interactions between users and the platform, each log request carried identifying technical data.

The database contained more than 324 million log entries totaling 729 gigabytes of data. Logs were updated daily, with between 4 million and 18 million new entries recorded each day. Although the MagentaTV user base is estimated at 4.4 million, the scale of the data exposure raises concerns over the potential for cross-referencing with prior leaks.

Exposed information included IP addresses (which can reveal user location), MAC addresses (which identify devices), session IDs, customer IDs, and browser user agents. While this data does not include passwords or personally identifiable information such as names or addresses, it could theoretically be used for session hijacking or device-specific targeting.

“In theory, HTTP headers, including customer IDs and session IDs, could be used for session hijacking, allowing attackers to log into customer accounts without needing to know any personal account information or passwords,” the researchers noted. “However, in the real world, additional security measures preventing such session hijacking were likely in place.”

Researchers also warned about risks stemming from the use of original equipment manufacturer (OEM) TV boxes, primarily sold by Deutsche Telekom and manufactured in China. These devices, commonly used to access the MagentaTV platform, may be more prone to vulnerabilities, compounding the risk posed by the data leak.

No known exploitation of the leaked data has been reported to date, but experts caution that the information could be valuable to threat actors, particularly when combined with data from past breaches.