FortiBleed: Massive Fortinet VPN Credential Leak Exposes 74,000 Firewalls Worldwide A newly uncovered data leak, dubbed FortiBleed, has exposed credentials for 73,932 Fortinet and FortiGate VPN firewalls across organizations globally. Security researcher Bob Diachenko discovered the breach after identifying an unsecured server containing usernames, email addresses, and plaintext passwords for high-profile targets, including Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, and multiple government agencies. The dataset, analyzed by Diachenko and later confirmed by threat intelligence firm Hudson Rock, includes 21,632 unique domains spanning 194 countries, with the highest concentrations of affected devices in India, the U.S., Taiwan, Mexico, and Turkey. The compromised credentials span industries such as telecommunications, IT services, finance, healthcare, manufacturing, and critical infrastructure. ### Attack Method & Scope Diachenko’s investigation revealed the breach was orchestrated by a Russian-speaking threat group that conducted 1.16 billion credential-stuffing attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 Microsoft SQL servers. The attackers used a 45-GPU cluster running Hashtopolis to crack intercepted SSL VPN authentication hashes, then leveraged the stolen credentials to infiltrate Active Directory environments. Additional exposed files accidentally left accessible on the same server contained attack logs, scripts, and tooling, along with detailed profiles of targeted organizations, including revenue, employee counts, and industry classifications. The breach also led to full compromises of entities in Japan, Taiwan, Vietnam, Iraq, and Turkey, including a Turkish NATO defense contractor, from which classified documents were allegedly exfiltrated. ### Credential Authenticity & Origin Cybersecurity researcher Kevin Beaumont independently verified portions of the dataset, confirming that many credentials were legitimate and that roughly 75,000 Fortinet devices most still online were affected. The data appears to have been extracted from Fortinet configuration files, as it includes email addresses and other details typically only accessible through exported configs. Notably, many of the exposed passwords were long and complex, suggesting the attackers may have exploited previously unknown vulnerabilities or misconfigurations rather than brute-force methods. Beaumont’s analysis, based on Shodan network scans, found that nearly half of all internet-exposed Fortinet firewalls were included in the leak, with many devices exposing management interfaces directly to the web. ### Unanswered Questions The exact method of initial compromise remains unclear. Researchers have not determined whether the data was obtained via known Fortinet vulnerabilities, a zero-day flaw, or another attack vector. Neither Diachenko, Hudson Rock, nor Beaumont have identified the original source of the configuration leaks. Fortinet has been contacted for comment but has not yet responded. The dataset’s scale and the ongoing exposure of affected devices underscore the severity of the breach, with potential implications for supply chain security, government networks, and critical infrastructure.