BleepingComputer reports that all users of the German free privacy-focused email hosting server Cock.li since 2016 amounting to more than 1 million individuals were confirmed to have had their information compromised following a breach stemming from the exploitation of vulnerabilities impacting its deprecated Roundcube webmail platform.
Attackers leveraging the Roundcube SQL injection flaw, tracked as CVE-2021-44026, were able to exfiltrate 1,023,800 user accounts' email addresses, initial and last login timestamps, unsuccessful login attempts, language, and serialized Roundcube settings and email signature blobs, as well as contact names, contact email addresses, vCards, and comments for a subset of 10,400 accounts, said Cock.li in a statement. Cock.li's disclosure comes after Roundcube had been retired from its platform this month due to attacks involving the remote code execution issue, tracked as CVE-2025-49113. "Regardless of whether our version was vulnerable to this, we've learned enough about Roundcube to pull it from the service for good. Another webmail is definitely on the table, but it is not an immediate priority for us," said Cock.li.
Attackers leveraging the Roundcube SQL injection flaw, tracked as CVE-2021-44026, were able to exfiltrate 1,023,800 user accounts' email addresses, initial and last login timestamps, unsuccessful login attempts, language, and serialized Roundcube settings and email signature blobs, as well as contact names, contact email addresses, vCards, and comments for a subset of 10,400 accounts, said Cock.li in a statement. Cock.li's disclosure comes after Roundcube had been retired from its platform this month due to attacks involving the remote code execution issue, tracked as CVE-2025-49113. "Regardless of whether our version was vulnerable to this, we've learned enough about Roundcube to pull it from the service for good. Another webmail is definitely on the table, but it is not an immediate priority for us," said Cock.li.
