A sprawling credential leak dubbed “FortiBleed” has exposed working administrator and VPN logins for nearly 74,000 Fortinet FortiGate firewalls across 194 countries, in what researchers are calling one of the largest Fortinet-related security incidents to date. Roughly half of all internet-facing FortiGate devices worldwide may be affected.
How It Was Discovered
Security researcher Volodymyr “Bob” Diachenko found the trove after stumbling on a server, left accidentally exposed online, that belonged to the attackers themselves. Rather than just stolen data, Diachenko uncovered the group’s actual operational infrastructure: cron jobs, bash histories, cracking scripts, and logs documenting an active, automated credential-harvesting campaign. He attributes the operation to a Russian-speaking threat group. Threat intelligence firm Hudson Rock and independent researcher Kevin Beaumont subsequently validated the dataset, confirming that sampled credentials were genuine and that many of the affected devices remained online and reachable.
No New Vulnerability — Just Scale
Importantly, FortiBleed isn’t tied to a freshly discovered software flaw. There’s no CVE and no patch to install. Instead, the operators built curated credential lists from previously leaked Fortinet data — including a 2021 dump of roughly 500,000 FortiGate VPN accounts and the 2025 Belsen Group leak — combined with passwords harvested in plaintext by infostealer malware on infected endpoints. Because infostealers capture credentials before any encryption is applied, even long, complex passwords offered no protection once a device was infected.
Where reused credentials failed, the group intercepted SSL VPN authentication hashes during login and cracked them offline using a 45-GPU cluster managed through the open-source Hashtopolis framework. Researchers say the attackers ran roughly 1.16 billion login attempts against more than 320,000 FortiGate targets, alongside 2.1 billion brute-force attempts against over 163,000 Microsoft SQL Server systems — evidence this is a broad initial-access operation, not one narrowly focused on Fortinet.
Who’s Affected
Hudson Rock’s analysis puts the number of unique compromised firewall URLs at 73,932, spanning more than 21,600 domains. Named organizations reportedly appearing in the dataset include Samsung, Oracle, Siemens, Foxconn, Comcast, Chevron, AT&T, Toyota, Accenture, and numerous government agencies and critical infrastructure operators. Diachenko says at least four organizations were fully compromised, including a Turkish NATO defense contractor from which classified documents were allegedly exfiltrated.
Fortinet has pushed back on the framing, describing the leak as a recycling of data from earlier incidents combined with brute-forcing rather than a new breach. Researchers counter that many affected devices run recent FortiOS versions and don’t overlap with previously known leaks, suggesting at least some of the data is current.
What Organizations Should Do
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged Fortinet customers to act immediately: terminate active SSL VPN and admin sessions, reset all passwords on internet-facing systems, enforce multi-factor authentication, and confirm devices are using the stronger PBKDF2 password-hashing standard rather than older, weaker methods. Hudson Rock has published a free lookup tool so organizations can check whether their domains appear in the dataset.
The core lesson echoed across the research community is a simple one: a firewall sitting exposed on the internet with reused or stolen credentials offers no real protection, no matter how strong the password looks on paper.