1 Million Cock.li Accounts Exposed in Major Data Breach
▼ Summary
– Cock.li suffered a data breach exposing over 1 million user records due to flaws in its retired Roundcube webmail platform.
– The breach compromised email addresses, login timestamps, and contact details for some users, but not passwords or email content.
– Cock.li, a privacy-focused email provider, is popular among infosec communities and cybercriminals, run by a single operator since 2013.
– The breach was caused by an old Roundcube SQL injection vulnerability (CVE-2021-44026), prompting Cock.li to permanently remove Roundcube from its service.
– Users are advised to reset passwords, and Cock.li will now require IMAP or SMTP/POP3 clients for email access instead of webmail.
A major data breach at privacy-focused email service Cock.li has exposed sensitive information from over one million user accounts. The Germany-based provider confirmed attackers exploited vulnerabilities in its retired Roundcube webmail platform to access extensive user records spanning back to 2016.
The compromised data includes email addresses, login timestamps, language preferences, and system settings for 1,023,800 accounts. Approximately 10,400 users had additional contact details exposed, including names, email addresses, vCards, and personal comments stored in their address books. Fortunately, passwords, email contents, and IP addresses remained secure as they weren’t stored in the affected databases.
Cock.li operates as an alternative email provider favored by privacy-conscious users, cybersecurity professionals, and unfortunately, some malicious actors. Its minimal moderation policies have made it popular among ransomware affiliates and others seeking anonymity. The breach came to light after service disruptions last week, followed by a hacker advertising stolen databases for sale at one Bitcoin (approximately $92,500).
Investigations revealed attackers likely exploited CVE-2021-44026, an SQL injection flaw in Roundcube. This incident occurred shortly after Cock.li identified CVE-2025-49113, a critical remote code execution vulnerability in the same software. The provider had already decided to phase out Roundcube in June 2025, citing security concerns.
In an official statement, Cock.li admitted running Roundcube was a mistake, emphasizing that stronger security measures could have prevented the breach. The service has permanently discontinued Roundcube support, leaving users to access emails exclusively through IMAP or SMTP/POP3 clients. While alternative webmail solutions may arrive eventually, the team currently prioritizes stabilizing the platform.
All affected users should immediately reset their passwords as a precaution. Those with exposed contact information will receive direct notifications. Security analysts note this breach could provide valuable intelligence, as the data might reveal patterns about threat actors who relied on Cock.li’s services.
The incident underscores the risks of outdated software in email infrastructure, particularly for providers catering to high-risk users. Cock.li’s transparency about its security shortcomings sets a precedent, but the breach serves as a stark reminder about the importance of proactive vulnerability management.
(Source: BLEEPING COMPUTER)
