FortiBleed Leak Exposes 73,000 Fortinet VPN Credentials Worldwide

A newly discovered data leak dubbed "FortiBleed" has exposed a massive trove of Fortinet and FortiGate VPN credentials spanning 73,932 firewall URLs across 194 countries. Security researcher Bob Diachenko uncovered an exposed server containing what appeared to be valid Fortinet VPN credentials, including usernames, email addresses, and plaintext passwords. The dataset impacts 21,632 unique domains and lists organizations such as Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, and State Grid, with additional metadata tagging each entity's industry, revenue, and employee count—likely intended for staging targeted attacks. Users concerned about exposure can verify their accounts using an email breach checker.

According to Diachenko's investigation, the operation was conducted by a Russian-speaking multi-operator threat group that harvested credentials for FortiGate SSL VPN devices. The attackers allegedly executed approximately 1.16 billion credential-stuffing attempts against 320,777 FortiGate targets and an additional 2.1 billion attempts against 163,650 Microsoft SQL Server systems. They reportedly intercepted SSL VPN authentication hashes, cracked them using a 45-GPU cluster orchestrated through Hashtopolis, and leveraged the recovered credentials to move laterally into internal Active Directory environments. Diachenko obtained these details after the threat actors accidentally left an open directory containing artifacts, connection strings, tooling, scripts, logs, and cron job analytics exposed online.

The leak is particularly severe for organizations in Japan, Taiwan, Vietnam, Iraq, and Turkey, several of which Diachenko reports were fully compromised—including a Turkish NATO defense contractor from which classified documents were allegedly stolen. Threat intelligence firm Hudson Rock corroborated the scale of the exposure after receiving the dataset, describing it as one of the largest known collections of compromised Fortinet-related credentials, with attackers maintaining detailed logs of successful intrusions. The FortiGate SSL VPN authentication weakness that enabled this campaign highlights the ongoing risk facing edge appliances. Administrators are urged to rotate credentials immediately, enforce multi-factor authentication on all VPN endpoints, and audit Active Directory for signs of lateral movement.

Security teams should also reassess credential hygiene across their environments, since plaintext password reuse enables rapid pivoting once a single VPN foothold is established. A quick password strength check and a full privacy checkup can help identify weak or reused credentials before attackers do. Given that the leaked database includes operational notes and target profiles, defenders should treat this as an active threat and prioritize hardening internet-facing FortiGate appliances against brute-force and hash-interception techniques.