A fresh data breach nicknamed “FortiBleed” has surfaced, revealing what looks to be a massive stash of Fortinet and FortiGate VPN login details tied to 73,932 firewall addresses across organizations around the globe.
The leaked data was initially spotted by security analyst Bob Diachenko, who reported coming across a server hosting what appeared to be legitimate Fortinet VPN credentials — complete with usernames, email addresses, and unencrypted passwords.
Based on screenshots and details Diachenko provided, the database includes records for Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, State Grid, and numerous additional organizations.
“Massive Fortinet/FortiGate bruteforce/active exploitation campaign uncovered in action,” Diachenko wrote in a LinkedIn post.
“Thousands of top vendor instances are listed in the files like this (see screenshot). This one alone has 21,634 domain names — from Chevron to Fortinet itself. All — with potentially working passwords to the FortiGate appliances obtained through various means.”
The leaked data also featured notes detailing each organization’s industry, revenue, and employee count, likely intended for orchestrating follow-up attacks.
Source: Diachenko
Diachenko later disclosed further details asserting that the operation was carried out by a Russian-speaking, multi-operator threat group that collected credentials for FortiGate SSL VPN appliances.
According to Diachenko’s findings, the attackers reportedly executed roughly 1.16 billion credential attempts targeting 320,777 FortiGate systems, along with an additional 2.1 billion attempts against 163,650 Microsoft SQL Server instances.
He further stated that the threat actors captured SSL VPN authentication hashes, cracked them using a 45-GPU cluster managed via Hashtopolis, and leveraged the recovered credentials to pivot laterally into internal Active Directory networks.
Diachenko informed BleepingComputer that he gathered these insights after examining additional files that were unintentionally left accessible on the same server.
“They accidentally left an open directory with artefacts, connection strings, tooling, scripts and data online. Analytics obtained via their cron jobs, bash histories, logs etc,” Diachenko explained.
The researcher also noted that multiple organizations in Japan, Taiwan, Vietnam, Iraq, and Turkey were fully breached, including a Turkish NATO defense contractor from which classified documents were reportedly exfiltrated.
Threat intelligence firm Hudson Rock has since released its own examination of the leaked data after receiving the dataset from Diachenko. The firm characterized the collection as one of the largest known repositories of compromised Fortinet-related credentials.
According to Hudson Rock, the dataset encompasses 73,932 unique firewall URLs spanning 194 countries and affects 21,632 distinct domains.
The firm reports that the attackers kept meticulous records of successful intrusions and compiled a database containing validated credentials for organizations spanning virtually every major industry vertical.
Among the organizations Hudson Rock identifies as appearing in the dataset are Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, Oracle, and multiple government agencies and critical infrastructure operators.
The firm also published statistics indicating that the highest concentration of affected devices was found in India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates.
The most prevalent sectors represented among the listed companies are telecommunications, IT services, financial services, government entities, healthcare providers, educational institutions, and manufacturing.
One puzzling aspect of the leak is that many of the exposed credentials consisted of long, complex passwords that would normally be regarded as difficult to crack.
Believed to be extracted from Fortinet configs
Cybersecurity researcher Kevin Beaumont independently examined portions of the leaked data and told BleepingComputer that some of the credentials are genuine.
“I have been able to confirm the authenticity of some of the admin logins and passwords — this looks like a real dump,” Beaumont stated.
After further analysis of the data shared by Hudson Rock, Beaumont published additional findings suggesting that the dataset contains credentials for approximately 75,000 Fortinet devices, the majority of which are still online.
According to Beaumont, the data appears to have been derived from exported Fortinet configurations because it includes information — such as email addresses — that is typically only accessible through configuration files.
He also pointed out that the affected IP addresses differ from those in the 2025 Belsen Group Fortinet leak, further suggesting that this is a more recent and larger collection of compromised devices.
Beaumont confirmed that multiple organizations listed in the dataset were using valid credentials and noted that many affected devices were running relatively up-to-date FortiOS versions.
“The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data,” Beaumont wrote.
Based on network data from Shodan, Beaumont says the leak contains roughly half of all internet-accessible Fortinet firewalls and noted that a majority of the affected devices expose their FortiGate management interfaces directly to the internet.
The origin of the configuration data remains unclear, with it being uncertain whether it was stolen through previously disclosed Fortinet vulnerabilities, a newly discovered flaw, or another technique. Neither Diachenko, Hudson Rock, nor Beaumont have determined how the configuration data was originally obtained.
Hudson Rock has developed a free FortiBleed lookup tool to check whether your organization is affected.
Organizations present in the dataset should immediately rotate passwords associated with Fortinet VPN and administrative interfaces, enforce multi-factor authentication, review gateway logs for suspicious activity, and monitor for exposed employee credentials.
BleepingComputer reached out to Fortinet regarding the exposed dataset and will update this article if a response is received.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
