- Cybernews found an unprotected database containing sensitive data on millions of MagentaTV users
- Around 324 million logs were contained within
- The database has since been locked down, but users should be on their guard
MagentaTV, a TV and streaming platform owned by German telecommunications giant Deutsche Telekom has been found leaking sensitive customer information for months.
In a blog post, security researchers from Cybernews said in June 2025, it found an unprotected Elasticsearch instance, hosted by Serverside.ai, which is a server-side ad insertion platform.
The archive weighs 729GB, and contains more than 324 million log entries. These entries contained users’ IP addresses, MAC addresses, session IDs, customer IDs, and user agents. Furthermore, some of the logs contained HTTP headers from requests the customers were sending.
Hijacking sessions and impersonating users
Deeper investigation determined the database belonged to MagentaTV, and that it was receiving between 4 and 18 million new logs every day.
“In theory, HTTP headers, including customer IDs and session IDs, could be used for session hijacking, allowing attackers to log into customer accounts without needing to know any personal account information or passwords. However, in the real world, additional security measures preventing such session hijacking were likely in place,” Cybernews researchers said.
Theoretically, there are plenty of things threat actors could do with this information.
They could use IP addresses to find people’s real-life locations, or could use MAC addresses to identify, or track, specific devices, even spoofing them in certain scenarios. Session IDs (if still valid) could be used to hijack active sessions, impersonate users, and gain access to their accounts or personal data.
Customer IDs could allow threat actors to reconstruct user profiles, leading to spear phishing, social engineering, or credential stuffing campaigns, while HTTP headers might contain browsing activity, cookies, authentication tokens, and more.
MagentaTV most likely started leaking the data in February 2025 and plugged the hole after being tipped off by Cybernews.
