FortiBleed leak exposes VPN credentials for 73,000 Fortinet devices
▼ Summary
– A data leak called “FortiBleed” exposed 73,932 Fortinet and FortiGate VPN credentials, including plaintext passwords, for organizations worldwide.
– The leaked data includes entries for major companies like Chevron, Samsung, and Comcast, as well as government agencies and critical infrastructure operators.
– Security researcher Bob Diachenko linked the operation to a Russian-speaking threat group that performed billions of credential attempts and used a 45-GPU cluster to crack VPN authentication hashes.
– The dataset, containing verified credentials for roughly 75,000 devices, appears to have originated from exported Fortinet configurations, with most affected devices still online.
– Experts recommend affected organizations immediately rotate VPN passwords, enforce multi-factor authentication, and check gateway logs for suspicious activity.
A newly uncovered data breach, dubbed FortiBleed, has compromised VPN credentials for over 73,000 Fortinet and FortiGate firewall URLs across organizations worldwide. The leak, which includes usernames, email addresses, and plaintext passwords, poses a significant threat to critical infrastructure and major corporations.
Security researcher Bob Diachenko first identified the exposed data on an unsecured server. He described the collection as part of a “massive Fortinet/FortiGate brute force and active exploitation campaign.” Screenshots shared by Diachenko reveal entries for high-profile entities such as Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, and State Grid.
According to Diachenko, the server contained files listing 21,634 domain names, with “potentially working passwords” obtained through various means. The data also included comments detailing each organization’s industry, revenue, and employee count, likely to prioritize attack targets.
Further investigation by Diachenko suggests a Russian-speaking multi-operator threat group was behind the operation, harvesting credentials for FortiGate SSL VPN devices. The attackers allegedly launched approximately 1.16 billion credential attempts against 320,777 FortiGate targets, plus 2.1 billion attempts against 163,650 Microsoft SQL Server systems. They reportedly intercepted SSL VPN authentication hashes, cracked them using a 45-GPU cluster managed through Hashtopolis, and used the recovered credentials for lateral movement into internal Active Directory environments.
Diachenko obtained these details from additional files inadvertently exposed on the same server. “They accidentally left an open directory with artifacts, connection strings, tooling, scripts, and data online,” he told BleepingComputer. Analytics revealed that multiple organizations in Japan, Taiwan, Vietnam, Iraq, and Turkey were fully compromised, including a Turkish NATO defense contractor from which classified documents were allegedly stolen.
Threat intelligence firm Hudson Rock later analyzed the dataset after receiving it from Diachenko, describing it as one of the largest known troves of compromised Fortinet credentials. The dataset contains 73,932 unique firewall URLs across 194 countries, impacting 21,632 unique domains. The attackers maintained detailed logs of successful compromises, building a database of verified credentials across nearly every major industry sector.
Organizations listed in the dataset include Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, Oracle, and numerous government agencies and critical infrastructure operators. The highest number of affected devices was in India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the UAE. The most common sectors are telecommunications, IT services, financial services, government, healthcare, education, and manufacturing.
A curious aspect of the leak is that many exposed passwords are long and complex, typically considered difficult to crack. Cybersecurity researcher Kevin Beaumont independently verified portions of the data, confirming the authenticity of some admin logins and passwords. “This looks like a real dump,” he said.
Beaumont later published additional findings indicating the dataset contains credentials for roughly 75,000 Fortinet devices, most of which remain online. The data appears to have originated from exported Fortinet configurations because it includes information like email addresses that are only accessible through configs. The affected IP addresses differ from those in the 2025 Belsen Group Fortinet leak, suggesting this is a more recent and larger collection.
Beaumont verified that multiple organizations used valid credentials and noted that many affected devices run relatively recent FortiOS versions. “The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data,” he wrote. Based on Shodan network data, the leak includes approximately half of all internet-accessible Fortinet firewalls, with a majority exposing their FortiGate management interfaces directly to the internet.
The source of the configuration data remains unknown. It is unclear whether it was stolen through previously disclosed Fortinet vulnerabilities, a newly discovered flaw, or another method. Neither Diachenko, Hudson Rock, nor Beaumont have identified how the data was originally obtained.
Hudson Rock has released a free FortiBleed lookup tool for organizations to check if they are impacted. Affected organizations should immediately rotate passwords for Fortinet VPN and administrative interfaces, enforce multi-factor authentication (MFA), examine gateway logs for suspicious activity, and monitor for exposed employee credentials. BleepingComputer has reached out to Fortinet for comment and will update this story upon response.
(Source: BleepingComputer)