FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices

Security researcher Bob Diachenko found an exposed server containing Fortinet and FortiGate VPN credentials for 73,932 firewall URLs, a leak researchers now call FortiBleed.

Diachenko said the data included usernames, email addresses and plaintext passwords. Screenshots he shared listed major organizations, including Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec and State Grid.

"Massive Fortinet/FortiGate bruteforce/active exploitation campaign uncovered in action," Diachenko wrote on LinkedIn. He said one file included 21,634 domain names and passwords that could work against FortiGate appliances.

Threat intelligence firm Hudson Rock reviewed the dataset after Diachenko shared it. The company said the collection includes 73,932 unique firewall URLs across 194 countries and affects 21,632 unique domains.

Hudson Rock said affected organizations span telecom, IT services, finance, government, health care, education and manufacturing. The company listed India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile and the United Arab Emirates among the countries with the most affected devices.

The exposed files also included notes on each organization’s industry, revenue and employee count. Attackers often use that kind of profiling to rank victims, plan extortion and choose targets with access to sensitive networks.

Diachenko said other files on the same server pointed to a Russian-speaking, multi-operator threat group that targeted FortiGate SSL VPN devices. He said the group ran about 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 Microsoft SQL Server systems.

He also said the attackers captured SSL VPN authentication hashes, cracked them with a 45-GPU cluster managed through Hashtopolis and used the recovered credentials to reach internal Active Directory environments.

"They accidentally left an open directory with artefacts, connection strings, tooling, scripts and data online," Diachenko told BleepingComputer. He said cron jobs, bash histories and logs exposed the attack operation’s internal records.

Security researcher Kevin Beaumont reviewed parts of the data and said he confirmed some admin logins and passwords. "This looks like a real dump," Beaumont said.

Beaumont later said the dataset appears to include credentials for about 75,000 Fortinet devices, most of which remain online. He said the records look like they came from exported Fortinet configurations because they include details, such as email addresses, that administrators store inside configs.

That finding matters because a configuration leak points to a deeper compromise than a basic credential-stuffing list. Attackers who obtain Fortinet configuration files can learn VPN settings, user records, authentication details and network structure. Those details help an intruder move from a firewall login to internal systems.

The source of the configuration data remains unknown. Researchers have not tied the leak to a specific Fortinet vulnerability, a new flaw or another access path.

Fortinet customers should treat any match in the dataset as a compromise case. Security teams should rotate passwords for Fortinet VPN and administrative interfaces, enforce multifactor authentication, review FortiGate logs, check Active Directory for unusual logons and look for exposed employee credentials.

Teams should also restrict FortiGate management interfaces from the public internet. Beaumont said many listed devices expose management access online, which gives attackers a direct path to test credentials and exploit flaws.

Hudson Rock released a free FortiBleed lookup tool for organizations that want to check exposure. Fortinet customers can also review the vendor’s FortiGate documentation and security advisories through the Fortinet PSIRT page.

BleepingComputer contacted Fortinet for comment and said it would update its report if the company responds.