FortiBleed: Massive Fortinet VPN Credential Leak Exposes 74,000 Firewalls Worldwide
A newly uncovered data leak, dubbed FortiBleed, has exposed credentials for 73,932 Fortinet and FortiGate VPN firewalls across organizations globally. Security researcher Bob Diachenko discovered the breach after identifying an unsecured server containing usernames, email addresses, and plaintext passwords for high-profile targets, including Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, and multiple government agencies.
The dataset, analyzed by Diachenko and later confirmed by threat intelligence firm Hudson Rock, includes 21,632 unique domains spanning 194 countries, with the highest concentrations of affected devices in India, the U.S., Taiwan, Mexico, and Turkey. The compromised credentials span industries such as telecommunications, IT services, finance, healthcare, manufacturing, and critical infrastructure.
Attack Method & Scope
Diachenko’s investigation revealed the breach was orchestrated by a Russian-speaking threat group that conducted 1.16 billion credential-stuffing attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 Microsoft SQL servers. The attackers used a 45-GPU cluster running Hashtopolis to crack intercepted SSL VPN authentication hashes, then leveraged the stolen credentials to infiltrate Active Directory environments.
Additional exposed files accidentally left accessible on the same server contained attack logs, scripts, and tooling, along with detailed profiles of targeted organizations, including revenue, employee counts, and industry classifications. The breach also led to full compromises of entities in Japan, Taiwan, Vietnam, Iraq, and Turkey, including a Turkish NATO defense contractor, from which classified documents were allegedly exfiltrated.
Credential Authenticity & Origin
Cybersecurity researcher Kevin Beaumont independently verified portions of the dataset, confirming that many credentials were legitimate and that roughly 75,000 Fortinet devices most still online were affected. The data appears to have been extracted from Fortinet configuration files, as it includes email addresses and other details typically only accessible through exported configs.
Notably, many of the exposed passwords were long and complex, suggesting the attackers may have exploited previously unknown vulnerabilities or misconfigurations rather than brute-force methods. Beaumont’s analysis, based on Shodan network scans, found that nearly half of all internet-exposed Fortinet firewalls were included in the leak, with many devices exposing management interfaces directly to the web.
Unanswered Questions
The exact method of initial compromise remains unclear. Researchers have not determined whether the data was obtained via known Fortinet vulnerabilities, a zero-day flaw, or another attack vector. Neither Diachenko, Hudson Rock, nor Beaumont have identified the original source of the configuration leaks.
Fortinet has been contacted for comment but has not yet responded. The dataset’s scale and the ongoing exposure of affected devices underscore the severity of the breach, with potential implications for supply chain security, government networks, and critical infrastructure.
Mercedes-Benz USA cybersecurity rating report: https://www.rankiteo.com/company/mercedes-benz-usa
Chevron cybersecurity rating report: https://www.rankiteo.com/company/chevron
Samsung Electronics cybersecurity rating report: https://www.rankiteo.com/company/samsung-electronics
Comcast cybersecurity rating report: https://www.rankiteo.com/company/comcast
Foxconn cybersecurity rating report: https://www.rankiteo.com/company/foxconn
AT&T cybersecurity rating report: https://www.rankiteo.com/company/att
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
Toyota Motor Corporation cybersecurity rating report: https://www.rankiteo.com/company/toyota
"id": "MERCHESAMCOMFOXATTFORTOY1781713752",
"linkid": "mercedes-benz-usa, chevron, samsung-electronics, comcast, foxconn, att, fortinet, toyota",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Energy',
'location': 'Global',
'name': 'Chevron',
'type': 'Corporation'},
{'industry': 'Technology/Electronics',
'location': 'Global',
'name': 'Samsung',
'type': 'Corporation'},
{'industry': 'Manufacturing/Technology',
'location': 'Global',
'name': 'Foxconn',
'type': 'Corporation'},
{'industry': 'Telecommunications',
'location': 'United States',
'name': 'Comcast',
'type': 'Corporation'},
{'industry': 'Telecommunications',
'location': 'United States',
'name': 'AT&T',
'type': 'Corporation'},
{'industry': 'Automotive',
'location': 'Global',
'name': 'Mercedes-Benz',
'type': 'Corporation'},
{'industry': 'Automotive',
'location': 'Global',
'name': 'Toyota',
'type': 'Corporation'},
{'industry': 'Defense',
'location': 'Turkey',
'name': 'Turkish NATO defense contractor',
'type': 'Government/Defense Contractor'},
{'industry': 'Government',
'location': 'Global',
'type': 'Government Agencies'}],
'attack_vector': 'Credential Stuffing, SSL VPN Authentication Hash Cracking',
'data_breach': {'data_exfiltration': 'Yes (classified documents from a '
'Turkish NATO defense contractor)',
'number_of_records_exposed': '73,932 Fortinet devices, 21,632 '
'unique domains',
'personally_identifiable_information': 'Yes (email addresses, '
'usernames, passwords)',
'sensitivity_of_data': 'High (plaintext passwords, personally '
'identifiable information, classified '
'documents)',
'type_of_data_compromised': 'Credentials (usernames, email '
'addresses, plaintext passwords), '
'attack logs, scripts, tooling, '
'organizational profiles, '
'classified documents'},
'description': 'A newly uncovered data leak, dubbed *FortiBleed*, has exposed '
'credentials for 73,932 Fortinet and FortiGate VPN firewalls '
'across organizations globally. The breach includes usernames, '
'email addresses, and plaintext passwords for high-profile '
'targets, including Chevron, Samsung, Foxconn, Comcast, AT&T, '
'Mercedes-Benz, Toyota, and multiple government agencies. The '
'dataset spans 194 countries and industries such as '
'telecommunications, IT services, finance, healthcare, '
'manufacturing, and critical infrastructure.',
'impact': {'data_compromised': 'Usernames, email addresses, plaintext '
'passwords, attack logs, scripts, tooling, '
'organizational profiles (revenue, employee '
'counts, industry classifications), classified '
'documents (in some cases)',
'identity_theft_risk': 'High (exposure of personally identifiable '
'information)',
'operational_impact': 'Full compromises of entities in multiple '
'countries, potential supply chain security '
'risks',
'systems_affected': '73,932 Fortinet and FortiGate VPN firewalls, '
'Active Directory environments'},
'initial_access_broker': {'entry_point': 'Fortinet VPN firewalls, Microsoft '
'SQL servers',
'high_value_targets': 'Government agencies, defense '
'contractors, critical '
'infrastructure'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'root_causes': 'Unknown (potentially '
'misconfigurations, zero-day '
'vulnerabilities, or exported '
'Fortinet configuration files)'},
'references': [{'source': 'Bob Diachenko (Security Researcher)'},
{'source': 'Hudson Rock (Threat Intelligence Firm)'},
{'source': 'Kevin Beaumont (Cybersecurity Researcher)'}],
'response': {'third_party_assistance': 'Hudson Rock, Kevin Beaumont'},
'threat_actor': 'Russian-speaking threat group',
'title': 'FortiBleed: Massive Fortinet VPN Credential Leak Exposes 74,000 '
'Firewalls Worldwide',
'type': 'Data Breach',
'vulnerability_exploited': 'Unknown (potentially misconfigurations or '
'zero-day flaws)'}