Full Report
Email hosting provider Cock.li has confirmed it suffered a data breach after threat actors exploited flaws in its now-retired Roundcube webmail platform to steal over a million user records. [...]
Analysis Summary
# Incident Report: Cock.li Webmail Data Breach via SQL Injection
## Executive Summary
A malicious actor successfully exfiltrated approximately one million user records from the Cock.li webmail service. The breach is attributed to an exploitation of an old RoundCube SQL injection vulnerability (CVE-2021-44026) present in their infrastructure. As a result of this incident and recent findings regarding other RoundCube vulnerabilities, Cock.li has permanently removed the RoundCube webmail application from its service.
## Incident Details
- Discovery Date: Not explicitly stated, but reported recently based on the context of past events.
- Incident Date: Not explicitly stated.
- Affected Organization: Cock.li
- Sector: Email/Communication Service Provider
- Geography: Not disclosed
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Historical vulnerability exploitation)
- Vector: Exploitation of a known, likely unpatched, RoundCube SQL Injection vulnerability.
- Details: The vulnerability is identified as CVE-2021-44026.
### Lateral Movement
- Not detailed, but the attack successfully accessed and exfiltrated the user database.
### Data Exfiltration/Impact
- Approximately 1 million user records were stolen.
- Affected users dating back to 2016 are being notified.
### Detection & Response
- Detection Method: Not specified, but the breach was made public or internal discovery led to public announcement.
- Response Actions: Users who used the service since 2016 are receiving separate notifications, and a mandatory password reset is recommended for all users since 2016. The proactive response included the permanent removal of RoundCube from the platform.
## Attack Methodology
- Initial Access: Exploitation of RoundCube SQL Injection vulnerability (CVE-2021-44026).
- Persistence: Not detailed in the provided text.
- Privilege Escalation: Not detailed in the provided text.
- Defense Evasion: Not detailed in the provided text.
- Credential Access: As the breach targeted user records, credentials or PII stored in the database were compromised.
- Discovery: Not detailed in the provided text.
- Lateral Movement: Not detailed in the provided text.
- Collection: Database contents related to user records were gathered.
- Exfiltration: Stolen user data was transferred out of the system.
- Impact: Theft of user records impacting approximately 1 million accounts.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Approximately 1 million user records dating back to 2016. Specific data types not listed but implied to include PII accessible via webmail accounts.
- Operational: Operational change involving the discontinuation of RoundCube webmail service.
- Reputational: Negative publicity resulting from the data breach.
## Indicators of Compromise
- Network indicators: Not disclosed (Defanged only if provided).
- File indicators: Not disclosed.
- Behavioral indicators: Successful exploitation of CVE-2021-44026.
## Response Actions
- Containment measures: Implied as the removal of the compromised component (RoundCube).
- Eradication steps: The service administrators stated they learned enough about RoundCube to "pull it from the service for good."
- Recovery actions: Users are advised to reset passwords for all accounts used since 2016. Migration to an alternative email client (IMAP/SMTP/POP3) is now necessary for continued service use.
## Lessons Learned
- Relying on outdated or vulnerable software components (RoundCube) creates significant risk, even if the specific version exploited was known previously.
- The organization admitted that "Cock.li should not have been running Roundcube in the first place," indicating a failure in application selection and inherent security posture.
- Better security practices were needed to prevent the user data leak.
## Recommendations
- Immediately decommission or replace any software hosting known, critical vulnerabilities (like RoundCube, especially given the discovery of CVE-2025-49113 shortly after this breach).
- Conduct a comprehensive audit of all third-party applications using older, known vulnerable software versions susceptible to SQL Injection.
- Enforce mandatory organization-wide password resets following a database exposure event.
- Implement continuous security monitoring and patching protocols, especially for public-facing services.