Overview A newly uncovered data leak dubbed “FortiBleed” has exposed Fortinet and FortiGate VPN credentials belonging to 73,932 firewall URLs across organizations worldwide. Security researcher Bob Diachenko discovered a server containing what appeared to be valid Fortinet VPN usernames, emails, and plaintext passwords, revealing a massive breach of enterprise‑grade network security.
Scope and Impact
The leaked dataset includes credentials from major global enterprises such as Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes‑Benz, Toyota, and Sinopec.
| Statistic | Detail |
|---|---|
| Total Devices Affected | 73,932 Fortinet firewalls |
| Unique Domains Impacted | 21,632 across 194 countries |
| Top Affected Regions | India, U.S., Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, UAE |
| Primary Sectors | Telecommunications, IT services, finance, government, healthcare, education, manufacturing |
Threat intelligence firm Hudson Rock described the collection as one of the largest known troves of compromised Fortinet‑related credentials, with attackers maintaining detailed logs of successful compromises and verified passwords for organizations across critical industries.
How FortiBleed Happened
Diachenko’s investigation revealed that a Russian‑speaking multi‑operator group harvested credentials for FortiGate SSL VPN devices through a massive brute‑force and hash‑cracking operation.
Attack Chain:
- Credential Harvesting → 1.16 billion attempts against 320,777 FortiGate targets.
- Hash Interception → SSL VPN authentication hashes captured and cracked using a 45‑GPU cluster via Hashtopolis.
- Lateral Movement → Recovered credentials used to access internal Active Directory environments.
- Data Compilation → Attackers organized credentials by industry, revenue, and employee count for target prioritization.
Diachenko also found artefacts and scripts left on the open server, including cron jobs and bash histories, revealing the attackers’ tooling and analytics workflow.
Verification and Authenticity
Cybersecurity researcher Kevin Beaumont independently verified the dataset, confirming that many credentials were authentic and still active.
“The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data,” Beaumont wrote.
Beaumont noted that the data likely originated from exported Fortinet configuration files, not from older leaks like the 2025 Belsen Group incident. He found that many affected devices expose their FortiGate management interfaces directly to the internet, making them prime targets for credential harvesting.
Mitigation and Recommendations
Organizations listed in the dataset should act immediately to secure their Fortinet infrastructure.
- Rotate All Credentials → Change VPN and administrative passwords for FortiGate devices.
- Enforce MFA → Add multi‑factor authentication for all VPN and admin logins.
- Audit Gateway Logs → Look for unusual login patterns or failed authentication bursts.
- Monitor Employee Credentials → Use threat intelligence feeds to detect leaked accounts.
- Restrict Management Access → Avoid exposing FortiGate management interfaces to the public internet.
Hudson Rock has released a FortiBleed lookup tool to help organizations check if their domains appear in the dataset.
Fortinet’s Response
Following the disclosure, Fortinet issued a statement clarifying that the leak is not linked to any new vulnerability or breach.
“Based on our analysis, the data involved is a resharing of data from previous incidents, as well as bruteforcing of credentials, and is not related to any recent incident or advisory,” Fortinet said.
The company emphasized that organizations following routine best practices — such as regular credential refresh and MFA enforcement — face minimal risk from this campaign.
Expert in the Cloud Insight
The FortiBleed incident illustrates how credential reuse and exposed management interfaces remain the Achilles’ heel of enterprise security. Even without a new exploit, attackers can weaponize old data and brute‑force automation to breach modern systems.
For security leaders, the takeaway is clear: credentials are the new perimeter. Continuous rotation, MFA, and restricted interface exposure must be treated as non‑negotiable controls in any VPN deployment.
Leave a Reply