- A threat actor is offering two Cock.li databases for sale on the dark web
- Email hosting provider confirms authenticity of the database on sale
- Users are urged to change their passwords
A well-known email hosting provider, allegedly popular among hackers and cybercriminals, has been hacked, with sensitive information on more than a million users ending up for sale on the dark web.
The administration team for Cock.li confirmed someone had exploited a vulnerability in its now-retired Roundcube webmail platform – and that everyone who has logged in to its systems since 2016 is at risk.
“The hacker reports they took the “users” and “contacts” tables,” the announcement reads. “We were immediately able to confirm the validity of the leak based on the column count and samples provided.”
Webmail users affected
Cock.li is a German free email hosting provider, focusing on privacy and advertising itself as an alternative to mainstream solutions – meaning it has apparently been used by people who don’t trust mainstream companies, as well as cybercriminals.
Recently, it decided to abandon Roundcube completely, after discovering a remote code execution (RCE) flaw being actively exploited in the wild.
“Cock.li will no longer be offering Roundcube webmail,” the admins said at the time. “Regardless of whether our version was vulnerable to this, we’ve learned enough about Roundcube to pull it from the service for good.”
Soon after that happened, the service was disrupted, and then a threat actor started selling two databases allegedly grabbed from Cock.li, for one bitcoin, claiming the databases contained sensitive user information.
The email hosting provider then confirmed the claims, and urged users to update their passwords.
The tables contained email addresses, first webmail login timestamp, last webmail login timestamp, failed login timestamp and counter, language, and a serialized representation of user preferences, which includes anything they saved into roundcube itself (different settings or signatures), for approximately 1,023,800 users.
The attackers also scooped up approximately 93,000 contact entries from roughly 10,400 users, including their name, email, vcards, and comments. Passwords, emails, IP addresses, and the data of anyone who never used webmail, was not compromised, the admins confirmed.
Via BleepingComputer
