Data Breach at Cock.li email provider exposes over 1 Million user records
Learn More
The Germany-based privacy-focused email hosting provider Cock.li has confirmed a data breach that exposed sensitive information belonging to over 1 million users.
Cock.li, operated by a single administrator known as Vincent Canfield since 2013, serves as a privacy-focused alternative to mainstream email providers. The service is used by people who distrust major providers and members of infosec and open-source communities, but is also popular among cybercriminals, such as affiliates from Dharma, Phobos, and other ransomware gangs. The platform has previously faced scrutiny from law enforcement agencies due to its use in various criminal activities, including bomb threats and ransomware campaigns.
The company believes that attack was caused by exploiting an old SQL injection vulnerability tracked as CVE-2021-44026 in the Roundcube webmail platform. The breach affected all users who had logged into the mail service since 2016, when the vulnerable Roundcube system was first implemented.
The incident became public when a threat actor claimed to be selling two databases containing dumped data from Cock.li, offering them for sale for a minimum of one Bitcoin ($92,500). Initial signs of trouble surfaced days earlier, when Cock.li's webmail portal was taken offline without warning leaving users speculating about potential issues with the service.
The number of affected individuals totals 1,023,800 users whose login information was compromised, along with contact details for an additional 93,000 users associated with approximately 10,400 accounts. Exposed data includes:
- Email addresses
- First and last login timestamps
- Failed login attempts and count
- Language preferences
- Serialized blob of Roundcube settings and email signatures
- Contact names (for subset of 10,400 accounts)
- Contact email addresses (for subset of 10,400 accounts)
- vCards (for subset of 10,400 accounts)
- Comments (for subset of 10,400 accounts)
The company claims that user account passwords, email content, and IP addresses were not compromised.
Cock.li removed the Roundcube software from their platform in June 2025. The company acknowledged that the breach could have been avoided with more proactive updates, noting "Cock.li should not have been running Roundcube in the first place". The service has permanently discontinued its webmail interface and advised users to transition to desktop or mobile email clients for accessing their accounts.
The 10,400 account holders who had third-party contact information exposed will be getting a separate notification, and for everyone who used the service since 2016, it is recommended to reset their account passwords.
