Email hosting provider Cock.li has confirmed a significant data breach affecting over one million users. The breach occurred due to attackers exploiting vulnerabilities in its now-retired Roundcube webmail platform. Forensic evidence indicates the attackers leveraged CVE-2021-44026, a known flaw in Roundcube’s `installer.php`, to execute arbitrary PHP code and exfiltrate sensitive user data1.
Technical Analysis of the Exploit
The attackers gained access by exploiting an unpatched vulnerability in Roundcube’s installer script. This allowed them to execute remote code and dump the Cock.li user database. A sample of the leaked data, shared on Telegram, included SHA1-hashed passwords and email addresses in SQL format2:
INSERT INTO `users` VALUES (NULL,'[email protected]','SHA1:640ab...',NULL,'en_US');According to BleepingComputer’s dark web monitoring, the threat actor known as “Satoshi” attempted to sell the database for 1 BTC (~$45,000). The German Federal Data Protection Authority (BfDI) has initiated an investigation under GDPR Article 33, which mandates breach notifications within 72 hours3.
Connection to Phobos Ransomware Operations
Further investigation revealed that Cock.li email accounts were used by Phobos ransomware operators for command-and-control (C2) communications. A specific account ([email protected]) was identified in CISA advisory AA24-060A as part of their SMTP-based exfiltration infrastructure4. The operators used Python scripts with TLS evasion techniques:
import smtplib
server = smtplib.SMTP(host='cock.li', port=587, timeout=30)
server.starttls() # Bypasses basic network filtersThis incident highlights the dual risks of both data breaches and infrastructure abuse when email providers are compromised.
Mitigation and Response Recommendations
For organizations using Roundcube or similar webmail platforms, the following steps are recommended:
- Immediately patch all instances of Roundcube, particularly addressing CVE-2021-44026
- Implement network monitoring for unusual SMTP traffic patterns
- Force password resets for all affected users with MFA enforcement
- Conduct forensic analysis to determine if any systems were used for C2 communications
The FTC’s Data Breach Response Guide recommends preserving memory and disk images using forensic tools like FTK or EnCase during incident investigations5. Organizations should also review their notification procedures to comply with GDPR and local regulations.
Broader Implications for Email Security
This breach underscores the ongoing challenges in email security. While newer encryption standards like E3 show promise in reducing setup time from 12 minutes to 90 seconds compared to traditional PGP6, widespread adoption remains limited. The incident also demonstrates how compromised email infrastructure can facilitate secondary attacks, as seen with the Phobos ransomware connection.
As threat actors continue to target email systems, organizations must balance usability with security. The Cock.li breach serves as a reminder that even retired systems can pose risks if not properly secured and monitored during decommissioning.
References
- “Hacker steals 1 million Cock.li user records in webmail data breach.” BleepingComputer. [Online]. Available: https://www.bleepingcomputer.com/news/security/hacker-steals-1-million-cockli-user-records-in-webmail-data-breach
- “CVE-2025-49113.” National Vulnerability Database. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-49113
- “Latest official statement Cock.li explanation and discussion.” Reddit r/emailprivacy. [Online]. Available: https://www.reddit.com/r/emailprivacy/comments/1lcnvkp/latest_official_statement_cockli_explanation_and
- “Phobos Ransomware & C2 Infrastructure.” CISA AA24-060A. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
- “Data Breach Response Guide.” Federal Trade Commission. [Online]. Available: https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business
- Koh et al., “E3: Easy Email Encryption.” Columbia University, 2019. [Online]. Available: https://www.cs.columbia.edu/~koh/papers/koh-eurosys19-e3_easy_email_encryption-final.pdf
