Recommended reading

Top email hosting provider Cock.li hacked - over a million user records stolen

News
By published

A now-retired Roundcube platform was abused

Close up of a person touching an email icon.
Image Credit: Pixabay (Image credit: Geralt / Pixabay)
  • A threat actor is offering two Cock.li databases for sale on the dark web
  • Email hosting provider confirms authenticity of the database on sale
  • Users are urged to change their passwords

A well-known email hosting provider, allegedly popular among hackers and cybercriminals, has been hacked, with sensitive information on more than a million users ending up for sale on the dark web.

The administration team for Cock.li confirmed someone had exploited a vulnerability in its now-retired Roundcube webmail platform - and that everyone who has logged in to its systems since 2016 is at risk.

“The hacker reports they took the “users” and “contacts” tables,” the announcement reads. “We were immediately able to confirm the validity of the leak based on the column count and samples provided.”

Save up to 52% off Lifelock Identity Theft Protection!

Save up to 52% off Lifelock Identity Theft Protection!

Your personal info is in endless places. And any one of them could accidentally expose you to identity theft. That's why LifeLock monitors hundreds of millions of data points a second for identity theft. LifeLock. For the threats you can't control.

Preferred partner (What does this mean?)

View Deal

Webmail users affected

Cock.li is a German free email hosting provider, focusing on privacy and advertising itself as an alternative to mainstream solutions - meaning it has apparently been used by people who don’t trust mainstream companies, as well as cybercriminals.

Recently, it decided to abandon Roundcube completely, after discovering a remote code execution (RCE) flaw being actively exploited in the wild.

"Cock.li will no longer be offering Roundcube webmail," the admins said at the time. "Regardless of whether our version was vulnerable to this, we've learned enough about Roundcube to pull it from the service for good."

Soon after that happened, the service was disrupted, and then a threat actor started selling two databases allegedly grabbed from Cock.li, for one bitcoin, claiming the databases contained sensitive user information.

The email hosting provider then confirmed the claims, and urged users to update their passwords.

The tables contained email addresses, first webmail login timestamp, last webmail login timestamp, failed login timestamp and counter, language, and a serialized representation of user preferences, which includes anything they saved into roundcube itself (different settings or signatures), for approximately 1,023,800 users.

The attackers also scooped up approximately 93,000 contact entries from roughly 10,400 users, including their name, email, vcards, and comments. Passwords, emails, IP addresses, and the data of anyone who never used webmail, was not compromised, the admins confirmed.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.