FortiBleed leak exposes Fortinet VPN credentials for 73,932 devices

A newly identified data breach called FortiBleed has revealed what appear to be valid login details for 73,932 distinct Fortinet and FortiGate firewall addresses located at companies spread across 194 countries and 21,632 separate domains.

A researcher uncovered an open server with harvested VPN data. Bob Diachenko located an unprotected server holding usernames, email addresses, and passwords in plain text for Fortinet VPN services. The records referenced major entities such as Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, and State Grid, each accompanied by notes detailing the target's industry, revenue, and workforce size.

The security expert characterized the discovery on LinkedIn as evidence of a "Massive Fortinet/FortiGate bruteforce/active exploitation campaign uncovered in action." A single listed file held 21,634 domain names together with passwords that may still function, gathered by different methods.

The operation was run by a Russian-speaking threat group. Further examination of inadvertently exposed materials, among them analytics, connection strings, scripts, bash histories, and logs, led Diachenko to conclude that the campaign involved roughly 1.16 billion login attempts directed at 320,777 FortiGate systems plus another 2.1 billion attempts aimed at 163,650 Microsoft SQL Server installations. The operators reportedly captured SSL VPN authentication hashes, broke them with a 45-GPU cluster coordinated via Hashtopolis, and leveraged the resulting credentials for lateral movement inside Active Directory networks.

Hudson Rock received the material from Diachenko and labeled the cache one of the largest known collections of stolen Fortinet credentials. The firm noted that the perpetrators kept thorough records of every successful breach and compiled confirmed logins spanning almost every significant industry vertical.

Multiple organizations suffered full compromise. Diachenko determined that several victims in Japan, Taiwan, Vietnam, Iraq, and Turkey experienced complete network takeover, among them a Turkish NATO defense contractor from which classified materials were reportedly taken. Hudson Rock's separate review added Siemens, Lenovo, PwC, Accenture, Oracle, various government bodies, and operators of critical infrastructure to the roster of impacted parties.

India recorded the largest share of affected appliances at 9,629, followed by the United States with 6,352; the remaining top countries were Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates. Affected organizations most frequently operated in telecommunications, IT services, financial services, government, healthcare, education, and manufacturing.

Many exposed passwords were complex despite the breach method. The credentials included numerous lengthy and intricate passwords normally viewed as resistant to cracking. Separate analysis performed by DoublePulsar determined the material had been prepared for possible sale on dark web markets and relied in some cases on older SHA-256 hashes used before Fortinet introduced its PBKDF2 strengthening in 2025; a substantial number of the targeted appliances had already received patches by the time the server was found.