Privacy-focused email provider Cock.li has confirmed a data breach affecting more than 1 million users, after hackers exploited a flaw in its now-deprecated Roundcube webmail platform.
According to the service’s announcement, the breach exposed the data of 1,023,800 users who logged in since 2016, including 93,000 additional contact entries. While no passwords or email content were compromised, the leaked database includes:
Email addresses
First and last login timestamps
Failed login attempts
Language preferences
Roundcube settings and email signatures
Contact names, emails, vCards, and comments (for 10,400 accounts)The breach reportedly stems from a known SQL injection vulnerability (CVE-2021-44026) in Roundcube, which Cock.li finally retired in June 2025 after analyzing a new RCE flaw (CVE-2025-49113) believed to be under active exploitation.
The incident came to light after a threat actor attempted to sell Cock.li’s user data on a dark web marketplace, asking for at least 1 Bitcoin (~$92,500). Cock.li confirmed the breach after temporarily going offline last week without explanation.
The email provider, which is widely used by the infosec and open-source communities, and even cybercriminal groups like Dharma and Phobos ransomware gangs, acknowledged that the breach was preventable. “Cock.li should not have been running Roundcube in the first place,” the admin admitted in a public statement.
Users are urged to reset their passwords immediately, and the 10,400 individuals with third-party contacts exposed will be contacted directly. Going forward, Cock.li will only support IMAP/SMTP/POP3 clients, with no webmail service currently planned.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
