MagicSlides Data Breach: 2.3 Million User Records Exposed

MagicSlides has established itself as a go-to AI productivity tool for professionals, students, and teams looking to generate polished presentations at speed. With millions of users relying on the platform for day-to-day work, a breach of this scale carries significant implications — not just for individual users, but for the organisations and payment ecosystems connected to their accounts.

What Happened

In March 2026, MagicSlides (accessible via magicslides.app), a popular AI-powered presentation and document creation platform, suffered a data breach resulting in the exposure of over 2.3 million unique user records. The compromised dataset extends well beyond basic contact details, encompassing payment platform identifiers, third-party integration credentials, and organisational metadata — making this one of the more operationally significant SaaS breaches of 2026.

Not all fields have been fully verified across every record, and the full scope of the breach continues to be assessed. The dataset has been indexed by Whiteintel and is available for exposure checks through the Global Search feature using the Corporate Records type.

Compromised Data Fields

What distinguishes this breach from a routine email-and-password dump is the variety of platform-specific identifiers included. The exposed data spans personal contact details, payment infrastructure tokens, third-party integration IDs, and organisational structure — creating a multi-dimensional profile of each affected user:

Why the Stripe and Telegram IDs Matter

Beyond standard PII, two fields in this breach stand out for their operational impact on threat actors: Stripe customer IDs and Telegram IDs.

Stripe Customer IDs — Payment Intelligence

A Stripe customer ID (cus_XXXX) is a unique identifier tied to a user's billing profile within the Stripe payment platform. While it does not expose raw card numbers or CVVs, its exposure creates several risks. Attackers with access to Stripe API credentials — or who can social-engineer Stripe support — can potentially cross-reference these IDs to retrieve subscription history, billing cycles, and in some cases payment method metadata. More practically, the presence of a Stripe ID confirms the user is or was a paying customer, making them a higher-value target for fraud and impersonation attacks.

Telegram IDs — Direct Messaging Vector

Telegram IDs are numeric identifiers uniquely associated with Telegram accounts. Unlike email addresses, a Telegram ID can be used to directly initiate contact with a victim on the Telegram platform — no guesswork required. This opens a direct channel for social engineering, phishing via Telegram, malware distribution through file sharing, and impersonation of MagicSlides support or sales personnel. For users who have their Telegram set to accept messages from anyone, this is an immediate risk.

Organisational Exposure and B2B Risk

The inclusion of organisation IDs in the breach is a clear indicator that MagicSlides' team and enterprise accounts were affected, not just individual users. Organisation IDs map directly to workspace structures — meaning threat actors can potentially identify which users belong to the same team, and target entire organisations rather than isolated individuals.

Combined with the signup source field — which reveals how users were acquired (e.g., via Google Ads, organic search, affiliate links, or integrations) — this dataset also constitutes a competitive intelligence asset, exposing MagicSlides' user acquisition funnel to bad actors and rival parties.

Recommendations for Affected Users and Organisations

If your organisation uses or has used MagicSlides, the following steps are recommended immediately:

• Check your Telegram privacy settings. Restrict who can message you and consider changing your Telegram username if it was linked to your MagicSlides account.
• Monitor your Stripe-linked payment methods. Review billing history for any anomalies and rotate API keys if your organisation uses Stripe directly.
• Change your MagicSlides password and enable multi-factor authentication if you have not already done so.
• Alert your security team if your organisation has an active MagicSlides subscription — the organisation ID field means whole teams may be identifiable in the breach.
• Be suspicious of unsolicited Telegram messages from unknown contacts referencing your account, subscription, or presentations.

How to Check Your Exposure

Whiteintel has fully indexed this breach. Organizations can verify whether their employees or domains appear in the MagicSlides dataset using the Global Search feature and selecting Corporate Records as the record type. This allows security teams to quickly assess organisational exposure and act before threat actors leverage the data.