A newly discovered data leak dubbed “FortiBleed” has exposed what appears to be a collection of Fortinet and FortiGate VPN credentials for 73,932 firewall URLs at organizations worldwide.
The exposed data was first discovered by security researcher Bob Diachenko, who says he found a server containing what appeared to be valid Fortinet VPN credentials, including usernames, email addresses, and plaintext passwords.
According to screenshots and information shared by Diachenko, the database contains entries for Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, State Grid, and many others.
“Massive Fortinet/FortiGate bruteforce/active exploitation campaign uncovered in action,” Diachenko posted on LinkedIn.
“Thousands of top vendors instances are listed in the files like this (see screenshot). This one alone has 21,634 domain names – from Chevron to Fortinet itself. All – with potentially working passwords to the FortiGate appliances obtained through various menas.”
The exposed data also included comments listing each organization’s industry, revenue, and number of employees, likely for planning attacks.
Source: Diachenko
Diachenko later shared additional information that claimed the operation was conducted by a Russian-speaking multi-operator threat group that harvested credentials for FortiGate SSL VPN devices.
According to Diachenko’s investigation, the attackers allegedly conducted approximately 1.16 billion credential attempts against 320,777 FortiGate targets and an additional 2.1 billion attempts against 163,650 Microsoft SQL Server systems.
He further claimed the threat actors intercepted SSL VPN authentication hashes, cracked them using a 45-GPU cluster managed through Hashtopolis, and used the recovered credentials to move laterally into internal Active Directory environments.
Diachenko told BleepingComputer he obtained these details after analyzing additional files inadvertently exposed on the same server.
“They accidentally left an open directory with artefacts, connection strings, tooling, scripts and data online. Analytics obtained via their cron jobs, bash histories, logs etc,” Diachenko explained.
The researcher also stated that multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey were fully compromised, including a Turkish NATO defense contractor from which classified documents were allegedly stolen.
Threat intelligence company Hudson Rock has since published its own analysis of the exposed data after receiving the dataset from Diachenko. The company described the collection as one of the largest known troves of compromised Fortinet-related credentials.
According to Hudson Rock, the dataset contains 73,932 unique firewall URLs across 194 countries and impacts 21,632 unique domains.
The company says the attackers maintained detailed logs of successful compromises and assembled a database containing verified credentials for organizations across nearly every major industry sector.
Among the organizations Hudson Rock says appear in the dataset are Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, Oracle, and numerous government agencies and critical infrastructure operators.
The company also released statistics showing that the highest number of affected devices was in India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates.
The most common sectors for the listed companies are telecommunications, IT services, financial services, government organizations, healthcare providers, educational institutions, and manufacturing.
One strange aspect of the leak is that many of the exposed credentials were long, complex passwords that would ordinarily be considered difficult to crack.
Believed to be extracted from Fortinet configs
Cybersecurity researcher Kevin Beaumont independently reviewed portions of the exposed data and told BleepingComputer that some of the credentials are authentic.
“I have been able to confirm the authenticity of some of the admin logins and passwords – this looks like a real dump,” Beaumont said.
After further review of the data shared by Hudson Rock, Beaumont published additional findings indicating that the dataset contains credentials for roughly 75,000 Fortinet devices, most of which remain online.
According to Beaumont, the data appears to have originated from exported Fortinet configurations because it contains information, including email addresses, that is typically only accessible through configs.
He also said the affected IP addresses are different from those in the 2025 Belsen Group Fortinet leak, further indicating that this is a more recent and larger collection of compromised devices.
Beaumont said he verified that multiple organizations listed in the dataset were using valid credentials and observed that many affected devices were running relatively recent FortiOS versions.
“The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data,” Beaumont wrote.
Based on network data from Shodan, Beaumont says the leak contains approximately half of all internet-accessible Fortinet firewalls and said that a majority of the affected devices expose their FortiGate management interfaces directly to the internet.
The source of the configuration data remains unknown, with it unclear whether it was stolen through previously disclosed Fortinet vulnerabilities, a newly discovered flaw, or another method. Neither Diachenko, Hudson Rock, nor Beaumont have identified how the configuration data was originally obtained.
Hudson Rock has created a free FortiBleed lookup tool to check if your organization is impacted.
Organizations in the dataset should immediately rotate passwords associated with Fortinet VPN and administrative interfaces, enforce MFA, examine gateway logs for suspicious activity, and monitor for exposed employee credentials.
BleepingComputer contacted Fortinet regarding the exposed dataset and will update this article if we receive a response.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
