Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home News
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Cock.li email provider data leak from roundcube

ShadowLurkerShadowLurker Member
in News

Cock.li E-mail Hosting
Official Broadcast

16 June 2025

Cockleaks! Roundcube Exposes 1M Login Times, 93k Contacts, and More!

If you ever used webmail, you should change your password just in case.
Oh, and Webmail is gone, but you'll have to scroll to yesterday to read
about that.

You can appreciate the timing, can't you? Well, immediately after
posting our announcement that Roundcube is gone from cock.li for good,
we received word that two tables from cock.li's Roundcube database is
on offer for sale online.

The hacker reports they took the users and contacts tables. We were
immediately able to confirm the validity of the leak based on the column
count and samples provided.

Here's what those tables contained:

  1. ~1,023,800 users, everyone that logged into webmail since 2016, and
    their:
    -e-mail address
    -first webmail login timestamp
    -last webmail login timestamp
    -failed login timestamp and counter
    -language
    -a serialized representation of your preferences, which
    includes anything you saved into roundcube itself like
    all of your settings and your signature
  2. ~93,000 contact entries from ~10,400 users, including their:
    -name
    -email
    -vcards
    -comments

The ~10,400 users with contacts in the leak will be sent a second e-mail
to inform them.

Here's what was not leaked to our knowledge:
1. passwords
2. e-mails
3. IP addresses
4. the data of anyone who never used webmail

Passwords were stored in the sessions table, which is apparently not
included in the leak. There was no functioning "Remember me" feature on
cock.li's webmail so this would have included the password of anyone
actively logged into webmail. About 350 at any time.

Still, anyone who used webmail since 2016 should change their password.

The leak is being offered for a hefty price. Someone tell Troy we'll
send him the usernames ourselves for HIBP if he can prevent Cloudflare
from blocking @cock.li etc* from search on that site when using Tor >:(

  • curl -s https://cock.li/log.txt | tail -20 # get cock.li domains ez
    OR just turn this off
    completely why do you
    need to block that
    search field anyway
    WHAT ARE YOU WORRIED
    THEY WILL FIND

This is the part where you're expecting a root cause analysis, incident
response, etc. Our guess is CVE-2021-44026 (potential SQL injection)
which affected <1.4.12, a version cock.li stopped using long ago. It's
possible this data has been held onto for a while. If we match up the
columns and get a guess of when this incident occurred you'll get an
update on https://mail.cock.li/ and https://cock.li/log.txt.

There's hardly much more incident response to be done than what's been
written here. We removed Roundcube from the service just before
learning about this leak. For now the most secure webmail we know of is
nothing.

One burning question: Could we have prevented this leak by updating
Roundcube faster? Probably! We also could have upgraded to the branch
with RCE, but don't let that rain on your pitchforks. We could solve
this unknown by determining the exact means of exfiltration, but we have
already done extensive research on Roundcube and we would rather just
take the blame and save the time.

Cock.li should not have been running Roundcube in the first place. For
the most part, our choice in software has reflected the fact that e-mail
has been mostly unchanged for over 40 years. There is no need to get
fancy. It's e-mail.

The lessons we've learned here will be the foundation for our decisions
moving forward. We're deeply sorry for this incident. Over time I'm sure
you will find this to be an exception to an otherwise cautious security
philosophy and structure.

Cock.li Administration Team
official-contact // cock.li

sauce : https://mail.cock.li/

does that mean all roundcube users were affected ?

Thanked by 110thHouse

Comments

  • willgowillgo Member

    It seems yes! :/

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @ShadowLurker said: does that mean all roundcube users were affected ?

    RC put out a patch last week. Cockli didn't patch in time and got yeeted.

    The exploit requires you to be able to login to RC in the first place, which is probably why it didn't get a CVE 10/10 score.

    Still, basically every DirectAdmin & cPanel host has already been updated.

    Francisco

    Thanked by 1eb1995
  • yoursunnyyoursunny Member, IPv6 Advocate
    edited June 2025

    Are they a subsidy of CockHost (previously HostCock)?
    Name checks out.
    Not good for anything.

    Thanked by 2wadhah emgh
  • hivisdevhivisdev Member
    edited June 2025

    Providers that have used that particular version were all affected. You can read more about the CVE here if you wish. As mentioned in the quote from cock.li, it was a vulnerability from 2023 that has subsequently been dealt with so going forward this is no longer a concern for newer versions.

    edit: I only had half the story, didn't realise there was a newer CVE.

  • plumbergplumberg Veteran, Megathread Squad

    Cock

    CUM

    Thanked by 1MikeA
  • ReroRero Member

    RC 1.6.12 doesn't exist. The latest is 1.6.11.

  • wadhahwadhah Member, Host Rep
    edited June 2025

    @yoursunny said: Not good for anything.

    TRUE!

    CrankBis.Com (aff) | CrankBis.Com (non aff) is way better anyway, let us crank your bis™!

    Thanked by 1oloke
  • yoursunnyyoursunny Member, IPv6 Advocate

    @wadhah said:
    CrankBis.Com (aff) | CrankBis.Com (non aff) is way better anyway, let us crank your bis™!

    We emailed the order with 3-sister payment a month ago and there's no response.

  • olokeoloke Member, Host Rep
    edited June 2025

    @yoursunny said:

    @wadhah said:
    CrankBis.Com (aff) | CrankBis.Com (non aff) is way better anyway, let us crank your bis™!

    We emailed the order with 3-sister payment a month ago and there's no response.

    I have reasons to believe there will be no response...

    nslookup -query=mx crankbis.com
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
*** Can't find crankbis.com: No answer

    they don't have email set up

  • emghemgh Member, Megathread Squad

    @yoursunny said:
    Are they a subsidy of CockHost (previously HostCock)?
    Name checks out.
    Not good for anything.

    CockHost best host since we fired @wadhah

    Thanked by 2oloke wadhah
  • yoursunnyyoursunny Member, IPv6 Advocate

    @oloke said:

    @yoursunny said:

    @wadhah said:
    CrankBis.Com (aff) | CrankBis.Com (non aff) is way better anyway, let us crank your bis™!

    We emailed the order with 3-sister payment a month ago and there's no response.

    I have reasons to believe there will be no response...

    they don't have email set up

    We were told to:

    @sh97 said:
    Send your mails to [email protected]

    Thanked by 1oloke
  • suutsuut Member

    Unfortunately, webmail is currently unavailable. I used it on a provider's Virtualizor Panel. Now I need to pay 5 euros to change my email. :'(

Sign In or Register to comment.