Huge data leak at MagentaTV – 324 million log entries publicly accessible

• Between early February 2025 and mid-June 2025, an unprotected Elasticsearch instance for MagentaTV, operated via Serverside.ai/Equativ, was publicly accessible online.
• On June 18, security experts from Cybernews discovered the leak and informed Deutsche Telekom, which finally took the instance offline on July 22.
• This database contained over 324 million log entries, totaling about 729 GB, with 4 to 18 million new entries added daily.
• Affected data: IP addresses, MAC addresses, Session IDs, Customer IDs, and User-Agent information—no payment details or personal names, but unique device and account information were exposed.

• Session Hijacking: With the session IDs, attackers could theoretically log into user accounts without a password.
• Targeted Phishing and Cyberattacks: IP and MAC addresses combined with User-Agent data enable personalized attacks.
• Data Cross-Referencing with Previous Leaks: In combination with earlier leaks, this information could make it easier to identify users.
• Hardware Risks: Set-top boxes from China potentially have higher security risks, increasing vulnerability.
• Reputation and Regulatory Consequences: Even without particularly sensitive data, trust is at risk, and data protection authorities will be scrutinizing the situation closely.

• Responsibility for Technical Security Architecture: You must ensure that third-party providers like Serverside.ai use secure configurations, for example, for Elasticsearch instances.
• Risk Management & Third-Party Control: Careful security assessments and audits of service providers are mandatory.
• Sensitivity Awareness: Even HTTP headers are considered a potential attack vector. You must realistically assess possible scenarios.
• Compliance Requirements: GDPR, the IT Security Act, and industry-specific regulations require appropriate protective measures.
• Brand Protection: A data leak of this magnitude can cause long-term damage to customer trust and the company's reputation, directly affecting executives.

1. Secure Configuration of Elasticsearch & Co.
   • Always enable authentication and access restrictions (e.g., IP whitelist, HTTPS, strong passwords).
   • Regularly check which instances are publicly accessible.
2. Third-Party Security Audits
   • Regularly request security audits from service providers.
   • Never rely on default configurations—actively check them.
3. Implement Logs & Monitoring
   • Continuously monitor database access and automate alerts for unusual activity.
4. Implement Data Minimization
   • Only log necessary data and, where possible, anonymize or pseudonymize it.
5. Maintain Incident Response Processes
   • Have a clearly defined security incident response plan: reporting channels, communication, and recovery strategy.
6. Promote Awareness & Training
   • Train your teams on common pitfalls with cloud/third-party platforms.
   • Raise awareness about data leaks, even with log or metadata, not just classic personal data.

The MagentaTV data leak clearly shows one thing: even seemingly non-critical log data can be a gateway for an attack—and this can happen due to a technical misconfiguration by a third-party provider.

Your next steps:

• Set up an internal workshop to check your infrastructure for similar risks. heyData can support you with practical security and compliance checks tailored to your company.
• If you like, subscribe to our newsletter—we regularly keep you up to date on current compliance and security trends!

Q: What happened in the MagentaTV data leak? 
A: A massive data leak exposed over 324 million log entries from MagentaTV customers. The data was accessible for months due to a misconfigured Elasticsearch instance by a third-party provider, Serverside.ai.

Q: What kind of data was exposed? 
A: The exposed data included IP addresses, MAC addresses, Session IDs, Customer IDs, and User-Agent information. No personal names, addresses, or payment information were leaked.

Q: What are the potential risks for affected individuals? 
A: While no highly sensitive personal data was leaked, the combination of exposed information could lead to risks like session hijacking, targeted phishing attempts, and easier identification of users by cross-referencing with other data breaches.

Q: What is the cause of the data leak? 
A: The leak was caused by a technical misconfiguration—specifically, an unprotected Elasticsearch instance that was publicly accessible on the internet.

Q: What steps should companies take to prevent similar incidents? 
A: Companies should ensure secure configurations for all databases, conduct regular security audits of third-party providers, implement continuous monitoring, and have a clear incident response plan. Data minimization and regular employee training are also crucial.