A new security incident known as FortiBleed has exposed Fortinet VPN credentials for tens of thousands of organizations worldwide. Researchers found a database containing login credentials for more than 73,000 Fortinet and FortiGate firewall devices. The data includes usernames, email addresses, and plaintext passwords. The list names household brands like Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, and Toyota.
Security researcher Bob Diachenko first spotted the exposed server. He described the find as a massive bruteforce and active exploitation campaign targeting Fortinet appliances.
One file he reviewed listed more than 21,000 domain names alongside what looked like working passwords. The data also included notes on each victim’s industry, revenue, and employee count. Those details look more useful for planning an attack than for any legitimate purpose.
Inside the FortiBleed Leak Database
The scale of this FortiBleed leak sets it apart from earlier Fortinet credential dumps. Threat intelligence firm Hudson Rock later analyzed the same dataset. The firm confirmed 73,932 unique firewall URLs spanning 194 countries and 21,632 unique domains. India, the United States, Taiwan, Mexico, and Turkey showed the highest concentrations of affected devices.
Telecommunications, financial services, healthcare, education, and manufacturing companies appear most often in the data. Many of the exposed passwords were long and complex, which made the leak more puzzling. Strong passwords should resist cracking attempts. Their presence in the dump suggests attackers found another way in beyond simple guesswork.
How Attackers Allegedly Collected the Credentials
Diachenko later linked the operation to a Russian-speaking threat group. He says the group ran roughly 1.16 billion credential attempts against more than 320,000 FortiGate targets. The same attackers allegedly launched 2.1 billion attempts against over 163,000 Microsoft SQL Server systems. These numbers point to an automated, large-scale operation rather than a handful of opportunistic attackers.
According to Diachenko, the attackers intercepted SSL VPN authentication hashes and cracked them using a cluster of 45 graphics cards. Once inside, they reportedly used the recovered logins to move laterally through internal Active Directory networks. Diachenko said attackers fully compromised several organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey. One Turkish defense contractor working with NATO allegedly lost classified documents as a result.
Independent Researchers Confirm the Data Is Real
Cybersecurity researcher Kevin Beaumont reviewed the dataset separately. He confirmed that some of the admin logins and passwords are genuine.
Beaumont estimated the leak covers close to 75,000 Fortinet devices, and most of them are still reachable online today. He also concluded the credentials likely came from exported Fortinet configuration files. The data included details that normally exist only inside those configs, not in a fresh exploit.
This leak differs from the 2025 Belsen Group incident because the affected IP addresses do not overlap. Both incidents exposed VPN credentials tied to Fortinet hardware, but they hit separate sets of devices.
Beaumont noted that the newly exposed devices represent roughly half of all Fortinet firewalls visible on the public internet through Shodan. Many of those devices expose their management interfaces directly to the web. That single choice gives attackers a much easier path inside.
Why So Many Devices Stay Exposed
Nobody has confirmed exactly how the attackers first obtained the configuration data. It could trace back to a previously known Fortinet flaw, a new one, or some other method entirely. Fortinet has not yet issued a public response to the findings, though researchers have asked the company to comment.
Exposing a firewall’s management interface to the open internet creates serious risk. This holds true even when the device runs a recent software version. Attackers only need one valid set of credentials to slip past the front door. Once inside, they can quietly harvest more logins and expand their access before anyone notices.
What Organizations Should Do Now
Hudson Rock built a free lookup tool so companies can check whether their domains appear in the leaked dataset. Any organization using Fortinet or FortiGate VPN equipment should act now rather than wait for official confirmation. Rotating every VPN and administrative password is the first step. It should not be the last one.
Enforcing multi-factor authentication across remote access points closes off one of the easiest paths attackers use after stealing a password. IT teams should also review gateway logs for unusual login attempts and unfamiliar IP addresses. Credential leaks like this one often surface gradually. Because of that, ongoing monitoring matters just as much as the initial cleanup.
Final Thoughts
FortiBleed makes one thing clear: Fortinet’s VPN appliances need the same security discipline as any other internet-facing system. A leaked credential database affecting major global brands shows how quickly stolen logins spread once attackers gain a foothold. Strong passwords alone will not help if the device exposing them sits openly on the internet.
Anyone responsible for VPN infrastructure should treat this incident as a prompt to audit access controls now. Waiting until a breach confirms the worst is too late. Pairing strict authentication rules with regular log reviews makes future incidents far less likely to succeed. The organizations named in this leak learned that lesson the hard way, but the rest of us still have time to act on it.
