What happened?
On 16 June, a free email hosting provider favoured by privacy enthusiasts and cybercriminals, Cock[.]li confirmed that attackers had exploited flaws in the service’s Roundcube webmail platform, stealing over a million records from users over nearly 10 years.
The announcement claimed that the attackers had taken information, including email addresses, names and some other metadata, but reassured users that “to the best of their knowledge”, passwords and email content were not compromised.
The service operators thought that the root cause was a flaw classified as CVE-2021-44026, which describes an SQL injection issue that allows attackers to gain access to tables of data in the service’s database. The issue was well-known, having been discovered in 2021, and seemingly a favourite of both attackers and pentesters alike, due to its ease of use.
Cock[.]li is privacy-focused and promoted as an alternative to mainstream email services, supporting standard email security mechanisms such as SMTP, IMAP and TLS. Users include information security specialists and it is known to be used by cybercriminals such as the Snatch Ransomware group, among others. The service makes strong claims about users' confidentiality on its website, claiming that it has “never received a legal order enforceable in its jurisdiction for user data” as well as other reassurances. It also published a list of subpoenas that it has received.
The service experienced disruption the previous week, and a threat actor, “Satoshi”, soon after on 12 June, advertised the stolen data on a prominent Russian-language hacking forum, asking a minimum of 1 BTC (around $90k at the time).
Figure 1 = "Sathoshi" post advertising the data (source: @ReyXBF on X.com)
So what?
In this case, it could have been worse for the service and the users. If accurate, the lack of email content and passwords will no doubt limit the potential damage that could be caused by the breach.
The incident is a reminder that even services marketing to a privacy-focused user base can be vulnerable to rudimentary attacks. Given the service’s status as a provider of choice for some attackers, it is likely an attractive target for other criminals, law enforcement and members of the intelligence community looking to gather information for their various motivations, including financial gain or strategic advantage over adversaries.
Furthermore, while the service makes some assurances about its use of “server side” encryption, it plainly states that not all data will be encrypted in transit, meaning that some email content could be read by a determined attacker with the requisite access to the email traffic.
The service has stopped using the Roundcube email platform, and individual users are advised to reset their passwords at the very least.
Businesses that convey sensitive information via email should consider commercial-grade providers that offer End to End Encryption (E2EE), using a high level of encryption standard, interoperability with business technology stacks and other tight privacy and security controls.