A newly identified data leak known as FortiBleed has exposed what appears to be Fortinet and FortiGate VPN credentials associated with 73,932 firewall URLs across organizations worldwide, raising fresh cybersecurity concerns.
The exposed dataset was first discovered by security researcher Bob Diachenko, who found a server containing what appeared to be valid Fortinet VPN credentials, including usernames, email addresses and plaintext passwords.
According to information shared by Diachenko, the database contains records linked to major organizations across multiple industries. The exposed data also included details such as company sectors, revenue figures and employee counts, information that may have been used to plan targeted attacks.
“Massive Fortinet/FortiGate bruteforce/active exploitation campaign uncovered in action,” Diachenko posted on LinkedIn.
Further analysis by Diachenko suggested that a Russian-speaking multi-operator threat group may have collected credentials from FortiGate SSL VPN devices. According to his findings, the attackers allegedly carried out approximately 1.16 billion credential attempts against 320,777 FortiGate targets and another 2.1 billion attempts against 163,650 Microsoft SQL Server systems.
Diachenko also claimed the threat actors intercepted SSL VPN authentication hashes, cracked them using a 45-GPU cluster and used the recovered credentials to move laterally within targeted environments.
The researcher said he uncovered additional evidence after finding exposed directories containing scripts, logs, connection strings, tools and operational data left accessible online.
Threat intelligence firm Hudson Rock later examined the dataset and described it as one of the largest known collections of compromised Fortinet-related credentials. According to the company, the database includes 73,932 unique firewall URLs across 194 countries and affects 21,632 unique domains.
Hudson Rock reported that the highest number of impacted devices were located in India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile and the United Arab Emirates. Telecommunications, IT services, financial services, government organizations, healthcare, education and manufacturing were among the most affected sectors.
Cybersecurity researcher Kevin Beaumont independently reviewed parts of the dataset and confirmed that some credentials appeared authentic. He stated that the leak contains credentials for approximately 75,000 Fortinet devices, most of which remain online.
According to Beaumont, the data likely originated from exported Fortinet configurations, as it contains information typically accessible only through configuration files. He also noted that the affected devices appear different from those involved in the 2025 Belsen Group Fortinet leak, suggesting a more recent and larger compromise.
The exact source of the leaked data remains unknown. Researchers have not yet determined whether it originated from previously disclosed vulnerabilities, a newly discovered flaw or another method.
Organizations potentially affected by the leak are being advised to immediately rotate passwords, enable multi-factor authentication (MFA), review gateway logs for suspicious activity and monitor employee credentials for exposure.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.