FortiBleed leak exposes 73,000 Fortinet VPN credentials

Key Takeaways

• Security researchers discovered 73,932 Fortinet VPN credentials exposed on a public server, including plaintext passwords for Fortune 500 companies
• Russian-speaking threat actors allegedly executed 1.16 billion credential attempts using a 45-GPU cracking cluster
• Affected organizations span 194 countries, with India, the US, and Taiwan seeing the highest number of compromised devices

A massive credential leak dubbed FortiBleed has exposed plaintext usernames and passwords for 73,932 Fortinet VPN and firewall devices belonging to organizations worldwide. Security researcher Bob Diachenko discovered the database on an exposed server, with entries spanning Chevron, Samsung, Foxconn, AT&T, Mercedes-Benz, Toyota, and Fortinet itself.

The breach stands out for its scale and specificity. Attackers did not just collect credentials. They catalogued each target organization's industry, revenue, and employee count, building what amounts to a corporate targeting database for follow-on attacks.

How attackers harvested 1.16 billion credential attempts

According to Diachenko's analysis, a Russian-speaking multi-operator threat group ran approximately 1.16 billion credential attempts against 320,777 FortiGate targets. They also hit 163,650 Microsoft SQL Server systems with an additional 2.1 billion attempts.

The operation went beyond brute force. Attackers intercepted SSL VPN authentication hashes, then cracked them using a 45-GPU cluster managed through Hashtopolis, an open-source distributed password recovery platform. Recovered credentials enabled lateral movement into internal Active Directory environments.

Diachenko obtained these details because the attackers made a basic operational security mistake. They left an open directory containing artifacts, connection strings, scripts, cron jobs, bash histories, and logs. The exposed files painted a clear picture of the group's methodology.

Which organizations appear in the FortiBleed database?

Threat intelligence firm Hudson Rock analyzed the dataset and confirmed it contains 73,932 unique firewall URLs across 194 countries, impacting 21,632 unique domains. The company described it as one of the largest known troves of compromised Fortinet credentials.

Named organizations include Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, Oracle, and numerous government agencies. Critical infrastructure operators also appear in the logs.

India leads the affected countries by device count, followed by the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates. The most common sectors are telecommunications, IT services, financial services, government, healthcare, education, and manufacturing.

Diachenko also reported that multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey were fully compromised. A Turkish NATO defense contractor allegedly had classified documents stolen.

Why complex passwords did not stop this attack

One puzzling detail: many exposed credentials were long, complex passwords that should resist brute-force attacks. Cybersecurity researcher Kevin Beaumont reviewed portions of the data and confirmed some admin logins are authentic.

Beaumont concluded the data likely originated from exported Fortinet configurations, not just credential stuffing. The database contains email addresses and other information typically accessible only through config files. This suggests attackers either exploited a vulnerability to extract configs or obtained them through other means.

The affected IP addresses differ from those in the 2025 Belsen Group Fortinet leak, indicating FortiBleed represents a fresh, larger collection of compromised devices. According to Beaumont, most of the roughly 75,000 affected devices remain online.

What should affected organizations do now?

Security teams at organizations running Fortinet VPN infrastructure should assume their credentials may be compromised. Immediate steps include rotating all VPN and administrative passwords, auditing Active Directory for signs of lateral movement, and reviewing authentication logs for anomalous access patterns.

Community discussion on Reddit and Hacker News highlights a broader concern: too many critical infrastructure systems still rely on credential-only authentication. The FortiBleed incident underscores the need for universal multi-factor authentication and strict IP restrictions on management interfaces.

• Rotate all Fortinet VPN and admin credentials immediately
• Enable MFA on all management interfaces and VPN access
• Audit Active Directory for unauthorized access or new accounts
• Restrict management access to known IP ranges
• Review exported configuration files for unauthorized access

Frequently Asked Questions

What is FortiBleed and how many devices are affected?

FortiBleed is a data leak exposing Fortinet VPN credentials for 73,932 firewall URLs across 194 countries. The database includes plaintext passwords, usernames, and email addresses for major corporations and government agencies.

Who is behind the FortiBleed credential harvest?

Security researcher Bob Diachenko traced the operation to a Russian-speaking multi-operator threat group. The attackers used a 45-GPU cluster to crack intercepted SSL VPN authentication hashes.

How can organizations check if they are in the FortiBleed leak?

Organizations should contact threat intelligence firms like Hudson Rock, which analyzed the dataset. Proactive steps include auditing VPN logs for unusual access and rotating all Fortinet administrative credentials.

Is FortiBleed related to the 2025 Belsen Group Fortinet leak?

No. Security researcher Kevin Beaumont confirmed the IP addresses in FortiBleed differ from the 2025 Belsen Group leak, indicating this is a separate and larger collection of compromised credentials.

Why were complex passwords not enough protection?

The attackers appear to have extracted Fortinet configuration files directly, bypassing brute-force limitations. Config exports contain credentials and email addresses not accessible through login attempts alone.

Source: BleepingComputer