Email hosting service Cock.li has reported a significant data breach that has affected the records of more than one million users. The breach exploited vulnerabilities in the obsolete Roundcube webmail platform and has resulted in the exposure of data from 1,023,800 user accounts that accessed the service since 2016. Additionally, contact details for approximately 93,000 users were also compromised.
The incident came to light following a disruption of service last week, which left users questioning the integrity of their accounts. Shortly after the outage, a hacker claimed to possess two databases containing sensitive information from Cock.li. This individual subsequently placed the databases for sale on the internet, demanding a minimum payment of one Bitcoin. In response to these claims, Cock.li released an official statement confirming the validity of the breach and detailing the compromised information.
According to the security disclosure, the exposed data includes email addresses, timestamps for first and last logins, failed login attempt counts, language preferences, and serialised user settings stored within Roundcube. Notably, passwords were not included in the leaked data as they were stored separately in a different table not accessed during this breach.
The specifics of the breach indicate that around 10,400 user accounts had their contact information exposed. This includes names, email addresses, vCards, and any associated comments. Affected users are expected to receive separate notifications from Cock.li regarding the compromised contact entries. The provider reassured users that no email content or IP addresses were part of the leak.
Cock.li’s user base primarily consists of individuals who prefer privacy-centric email services over mainstream options, including members of technology-focused communities and those sceptical of larger email providers. However, it is also known to be utilised by some cybercriminals.
Vulnerability analysis and future security measures
Cock.li attributed the breach to an older SQL injection vulnerability tracked as CVE-2021-44026. The company stated that it had ceased using the vulnerable version of Roundcube long ago but acknowledged that better security practices could have mitigated this incident. Following this revelation, Cock.li has permanently removed Roundcube from its service offerings.
While discussing potential future developments, Cock.li’s administration noted that improving security measures will be essential moving forward. They stressed that implementing better practices is paramount to safeguarding user data in light of this incident.
“The lessons we’ve learned here will be the foundation for our decisions moving forward,” said Cock.li. “We’re deeply sorry for this incident. Over time I’m sure you will find this to be an exception to an otherwise cautious security philosophy and structure.”
In light of this breach, users who accessed Cock.li since 2016 have been advised to reset their passwords immediately as a precautionary measure. Those who wish to continue using Cock.li for their email services will now need to rely on IMAP or SMTP/POP3 clients due to the discontinuation of webmail functionality. Cock.li stated that an internal investigation into how the breach occurred is underway and is expected to provide further insights into possible preventive measures against similar incidents in the future.
Read more: Cybersecurity gaps exposed as 96% of S&P 500 firms hit by data breaches
