Cock.li breach exposes over 1 million email accounts

A popular privacy-focused webmail service confirmed a data breach linked to outdated Roundcube software.

What happened

Cock.li, a Germany-based email hosting provider, has confirmed that over 1 million user records were stolen after attackers exploited a vulnerability in its retired Roundcube webmail platform. The breach affected every user who logged into Cock.li since 2016, an estimated 1,023,800 people. Additionally, contact entries for 93,000 users were exposed.

The attacker offered the stolen databases for sale on a cybercrime forum, demanding at least one Bitcoin (roughly $92,500). Cock.li verified the legitimacy of the breach shortly after users noticed a service disruption.

Going deeper

The data exposed includes email addresses, login timestamps, failed login attempts, language settings, and user-configured Roundcube preferences. For a subset of about 10,400 accounts, more detailed personal information such as vCards, contact names, and email addresses was also compromised.

Notably, no passwords, email content, or IP addresses were included in the stolen databases, according to Cock.li. Still, users are being advised to reset their passwords as a precaution, and those whose third-party contact data was exposed will receive direct notifications.

Cock.li attributes the breach to an old SQL injection flaw in Roundcube (CVE-2021-44026). The service also recently investigated another Roundcube vulnerability (CVE-2025-49113) and has now removed Roundcube from its platform entirely, citing long-standing security concerns.

What was said

In a public statement, Cock.li admitted that stronger security practices could have prevented the breach. “Cock.li should not have been running Roundcube in the first place,” said the site’s operator. The company also confirmed that Roundcube will no longer be offered, though a new webmail interface may be considered in the future.

For now, users must rely on external email clients using IMAP, SMTP, or POP3 protocols to access their Cock.li inboxes.

The big picture

The Cock.li breach points to the risks associated with legacy software in privacy-focused platforms. Although the service is popular among tech-savvy users, its dependence on outdated tools exposed a large number of accounts to potential compromise. Given the platform’s known use by ransomware groups and cybercriminal networks, the breach may also provide useful data for researchers and law enforcement. For smaller providers serving users who avoid mainstream services, gaps in infrastructure security can result in widespread consequences.

FAQs

What is Roundcube, and why was it a risk?

Roundcube is an open-source webmail interface. While widely used, its older versions contained exploitable flaws. Cock.li continued using it long after security issues like CVE-2021-44026 were documented, ultimately leading to this breach.

How does Cock.li differ from mainstream email providers?

Cock.li markets itself as a privacy-respecting alternative with minimal moderation. It appeals to open-source advocates, infosec professionals, and privacy-conscious users but also has a reputation for attracting cybercriminal users due to its hands-off approach.

Could users be targeted based on the stolen data?

Yes. Exposed metadata, even without passwords or email content, can still be used for profiling, phishing, or social engineering, especially if attackers link user aliases with real-world identities.

How should users secure their Cock.li accounts now?

Users should immediately reset passwords and consider rotating any aliases linked to personal or professional communications. Switching to secure, updated email clients is also recommended.