The goal doesnt have to be to get your mail. It could also just be to gain unauthorized access to the server that roundcube is running on. Then once they have access, modify the code to report login/password combinations to a remote url. So they can use those to spam.