FortiBleed leak reveals Fortinet VPN credentials for 73,000 devices.

A recently discovered data leak called “FortiBleed” exposed what appears to be a collection of Fortinet and FortiGate VPN credentials for 73,932 firewall URLs in organizations around the world.

The exposed data was first discovered by security researcher Bob Diachenko, who claims to have discovered a server containing what appeared to be Fortinet VPN credentials, including usernames, email addresses, and encrypted passwords.

According to screenshots and information shared by Diachenko, the website contains entries for Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, State Grid, and many others.

“Massive Fortinet/FortiGate bruteforce/exploit campaign exposed in action,” Diachenko wrote on LinkedIn.

“Thousands of top vendors are listed in files like this (see screenshot). This one alone has 21,634 domain names – from Chevron to Fortinet itself. All – with passwords that might work on FortiGate devices found using various mena.”

The disclosed data also included comments listing each organization’s industry, revenue, and number of employees, which could be classified as an attack.

Diachenko later shared additional information that said the operation was carried out by a group of Russian-speaking multi-operators who obtained information on FortiGate SSL VPN devices.

According to Diachenko’s investigation, the attackers allegedly made approximately 1.16 billion authentication attempts against 320,777 FortiGate targets and an additional 2.1 billion attempts against 163,650 Microsoft SQL Server systems.

He also said that threat actors intercepted SSL VPN authentication hashes, cracked them using a 45-GPU cluster managed by Hashtopolis, and used the information obtained to forward it to an internal Active Directory site.

Diachenko told BleepingComputer that he discovered this information after analyzing additional files that were indirectly exposed on the same server.

“They accidentally left an open directory with artifacts, connection cables, tools, scripts and data online. Statistics were found through their cron jobs, bash history, logs etc,” explained Diachenko.

The researcher also revealed that many organizations across Japan, Taiwan, Vietnam, Iraq and Turkey were completely compromised, including Turkey’s NATO defense contract from which classified documents were allegedly stolen.

Threat intelligence firm Hudson Rock has since published its analysis of the leaked data after receiving the dataset from Diachenko. The company described the collection as one of the largest known collections of Fortinet-related credentials.

According to Hudson Rock, the data set contains 73,932 unique firewall URLs in 194 countries and affects 21,632 unique domains.

The company says the attackers kept detailed logs of successful compromises and compiled data containing verified credentials for organizations in nearly every major industry sector.

Among the organizations Hudson Rock said appeared in the dataset are Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, Oracle, and many government agencies and critical infrastructure operators.

The company also released statistics showing that the highest number of affected devices are in India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates.

The most common sectors for listed companies are telecommunications, IT services, financial services, government agencies, healthcare providers, educational institutions, and manufacturing.

One strange aspect of the leak is that most of the leaked information was long, complex passwords that would have been considered difficult to crack.

It is believed to be removed from Fortinet configs

Cybersecurity researcher Kevin Beaumont independently reviewed portions of the disclosed data and told BleepingComputer that some of the information is true.

“I was able to verify the authenticity of some admin logins and passwords – this looks like a real dump,” said Beaumont.

After further review of the data shared by Hudson Rock, Beaumont published additional findings showing that the dataset contains credentials for approximately 75,000 Fortinet devices, most of which are always online.

According to Beaumont, the data appears to be from Fortinet’s configuration because it contains information, including email addresses, that are normally only available through configuration.

He also said that the affected IP addresses were different from the Belsen Group Fortinet 2025 leak, further indicating that this is a more recent and larger set of compromised devices.

Beaumont said he confirmed that most of the organizations listed in the dataset were using official information and noted that many of the affected devices were running the latest versions of FortiOS.

“The data is legit. It’s 75k devices. Almost all are online, as well as Fortinet devices. It appears to be recent data,” Beaumont wrote.

Based on network data from Shodan, Beaumont says the leak contains about half of all Fortinet firewalls accessible to the Internet and said most of the affected devices expose their FortiGate management connections directly to the Internet.

The source of the configuration data remains unknown, and it is unclear whether it was stolen through a previously disclosed Fortinet vulnerability, a newly discovered bug, or some other means. Neither Diachenko, Hudson Rock, nor Beaumont identified how the configuration data was originally obtained.

Hudson Rock has created a free FortiBleed scan tool to check if your organization is affected.

Organizations in the dataset should immediately rotate passwords associated with Fortinet VPN and management interfaces, enforce MFA, check gateway logs for suspicious activity, and monitor exposed employee credentials.

BleepingComputer has contacted Fortinet about the exposed dataset and will update this article when we receive a response.