FortiBleed leak exposes VPN credentials for 73,000 Fortinet devices

At a glance:

• A massive data leak dubbed "FortiBleed" has exposed VPN credentials for 73,932 Fortinet and FortiGate devices across 194 countries
• Security researchers found evidence of 1.16 billion credential attempts against 320,777 FortiGate targets by a Russian-speaking threat group
• Organizations including Chevron, Samsung, Foxconn, and government agencies are among those impacted

What is FortiBleed and how was it discovered

Security researcher Bob Diachenko first uncovered the FortiBleed leak while investigating an exposed server containing what appeared to be valid Fortinet VPN credentials. The database included usernames, email addresses, and plaintext passwords for thousands of organizations worldwide. Diachenko's investigation revealed that the exposed data contained entries for major corporations including Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, and State Grid, along with detailed comments about each organization's industry, revenue, and employee count.

The discovery came after Diachenko found an open directory on the attacker's server containing artifacts, connection strings, tooling, scripts, and data. Analysis of the exposed files revealed analytics from cron jobs, bash histories, and logs that provided insight into the attack methodology. Threat intelligence company Hudson Rock later confirmed the scope of the leak after receiving the dataset from Diachenko, describing it as one of the largest known troves of compromised Fortinet-related credentials.

Scale and scope of the compromise

The FortiBleed dataset contains 73,932 unique firewall URLs across 194 countries, impacting 21,632 unique domains. The affected organizations span nearly every major industry sector, including telecommunications, IT services, financial services, government organizations, healthcare providers, educational institutions, and manufacturing. Notable organizations identified in the dataset include Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, Oracle, and numerous government agencies and critical infrastructure operators.

The geographic distribution shows the highest number of affected devices in India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates. Independent cybersecurity researcher Kevin Beaumont confirmed the authenticity of the credentials, estimating the dataset contains credentials for approximately 75,000 Fortinet devices, with almost all remaining online and running relatively recent FortiOS versions.

Beaumont's analysis indicated the leak contains approximately half of all internet-accessible Fortinet firewalls, with a majority of affected devices exposing their FortiGate management interfaces directly to the internet. The data appears to have originated from exported Fortinet configurations, as it contains email addresses typically only accessible through such configs.

Attack methodology and threat actor profile

According to Diachenko's investigation, the operation was conducted by a Russian-speaking multi-operator threat group that harvested credentials for FortiGate SSL VPN devices. The attackers allegedly conducted approximately 1.16 billion credential attempts against 320,777 FortiGate targets and an additional 2.1 billion attempts against 163,650 Microsoft SQL Server systems.

The threat actors intercepted SSL VPN authentication hashes, cracked them using a 45-GPU cluster managed through Hashtopolis, and used the recovered credentials to move laterally into internal Active Directory environments. The group successfully compromised multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey, including a Turkish NATO defense contractor from which classified documents were allegedly stolen.

The attackers maintained detailed logs of successful compromises and assembled a database containing verified credentials for organizations across nearly every major industry sector. The sophistication of the operation, including the use of a dedicated GPU cluster for password cracking, suggests significant resources and planning.

Impact and response recommendations

Organizations in the dataset should immediately rotate passwords associated with Fortinet VPN and administrative interfaces, enforce multi-factor authentication, examine gateway logs for suspicious activity, and monitor for exposed employee credentials. Hudson Rock has created a free FortiBleed lookup tool to help organizations check if they are impacted.

The exposure of credentials for a NATO defense contractor raises serious concerns about national security implications, particularly given the alleged theft of classified documents. The fact that many of the exposed credentials were long, complex passwords that would ordinarily be considered difficult to crack suggests the attackers may have obtained them directly from configuration files rather than through traditional brute force methods.

The source of the configuration data remains unknown, with it unclear whether it was stolen through previously disclosed Fortinet vulnerabilities, a newly discovered flaw, or another method. Neither Diachenko, Hudson Rock, nor Beaumont have identified how the configuration data was originally obtained.

This incident follows the 2025 Belsen Group Fortinet leak, though the affected IP addresses differ, indicating this is a more recent and larger collection of compromised devices. The continued exposure of Fortinet devices directly to the internet without adequate protection remains a significant concern for the cybersecurity community.

What to watch next

Security teams should monitor for any new vulnerabilities in Fortinet products and ensure that management interfaces are not unnecessarily exposed to the internet. Organizations should review their Fortinet configurations for any signs of unauthorized access and implement network segmentation to limit lateral movement in case of future compromises.

The cybersecurity community will likely be watching how Fortinet responds to this incident and whether any new security advisories or patches are released. Additionally, further analysis may reveal whether the same threat group is responsible for other recent attacks or if this represents a new actor in the Fortinet exploitation landscape.

The incident highlights the ongoing risks associated with exposed VPN credentials and the importance of implementing zero-trust principles, regular credential rotation, and comprehensive logging and monitoring of authentication systems.