German privacy-focused email provider Cock.li has fallen victim to a significant cyberattack that compromised personal data of more than 1 million users. The breach resulted from attackers exploiting a critical SQL injection vulnerability in the widely-used Roundcube Webmail client, highlighting ongoing security challenges facing independent email services.
Scope of the Security Incident
According to official statements from the service administrators, the attack impacted 1,023,800 user accounts that had accessed the email service since 2016. An additional 93,000 users had their contact information compromised, making this one of the most substantial security breaches affecting privacy-oriented email providers in recent years.
Despite the large scale of the incident, administrators confirmed that user passwords, email content, and IP addresses remained secure. This critical data was stored in separate databases that attackers failed to access, limiting the potential damage from the breach.
Technical Analysis: CVE-2021-44026 Exploitation
Security researchers identified that hackers leveraged the known vulnerability CVE-2021-44026, a SQL injection flaw in Roundcube Webmail. This vulnerability enables attackers to execute arbitrary SQL queries against the application’s database, potentially accessing sensitive stored information without proper authorization.
Ironically, the Cock.li team had been investigating a more recent remote code execution vulnerability in Roundcube (CVE-2025-49113) that was actively being exploited in the wild. Following their security assessment, Roundcube was completely removed from the platform in June 2025, though this action came too late to prevent the current breach.
Service Background and User Demographics
Cock.li operates as a free email hosting provider focused on privacy protection, managed by a single administrator using the pseudonym Vincent Canfield. Operating since 2013, the service positions itself as an alternative to major commercial email providers while supporting standard protocols including SMTP, IMAP, and TLS encryption.
The platform primarily serves cybersecurity professionals, open-source software enthusiasts, and users who distrust large technology corporations. Unfortunately, the service has also gained popularity among cybercriminals, including members of the Dharma and Phobos ransomware groups, complicating its reputation within the security community.
Incident Timeline and Response
The first signs of trouble emerged late last week when Cock.li services suddenly became unavailable without explanation. Shortly after, threat actors began advertising two databases containing user information on the XSS hacking forum. The cybercriminals demanded a minimum price of one Bitcoin (approximately $104,000 USD) for the stolen data.
Official confirmation of the breach came several days later when administrators published a detailed incident report. All users active since 2016 received urgent recommendations to immediately change their account passwords as a precautionary measure.
Industry Impact and Lessons Learned
Cock.li administrators acknowledged that more robust security measures could have prevented this incident. In their official statement, they admitted: “Cock.li should never have used Roundcube in the first place.” The service announced it will no longer offer the Roundcube web interface to users.
Cybersecurity experts note that this data breach could provide significant value to researchers and law enforcement agencies, as the exposed information might help identify malicious actors who actively used the platform for criminal activities.
The Cock.li incident serves as another critical reminder of the importance of timely software updates and comprehensive cybersecurity approaches. Organizations must regularly conduct security audits of their systems and promptly address identified vulnerabilities, particularly in components handling sensitive user data. This breach underscores that even privacy-focused services are not immune to sophisticated attacks when fundamental security practices are overlooked.
