Russian Cybercriminal Group Exposes 74,000 Fortinet Firewall Credentials in Massive Leak
A Russian-speaking cybercriminal group inadvertently exposed credentials from nearly 74,000 Fortinet firewalls and VPN gateways worldwide after leaving the data unsecured on a server. The breach, discovered by security researcher Volodymyr “Bob” Diachenko over the past weekend, was confirmed by other researchers, including Kevin Beaumont, who verified the authenticity of the leaked login details.
The compromised data, dubbed FortiBleed, includes configuration files containing sensitive information visible only from the devices themselves. The group obtained the credentials through automated large-scale harvesting, intercepting SSL VPN authentication hashes, cracking them using a 45-GPU cluster via Hashtopolis, and leveraging the passwords to infiltrate Active Directory environments. Researchers at Hudson Rock identified 73,932 unique firewall URLs across 194 countries, with many devices exposing their FortiGate Management Interface to the internet.
While Fortinet previously addressed password storage vulnerabilities in early 2025 by adopting PBKDF2 with randomized salt, many devices still use the older, weaker SHA-256 with salt method, making them susceptible to brute-force attacks. The leaked data appears to include both recently harvested credentials and older collections from prior breaches.
The breach impacts high-profile organizations, including Samsung, Siemens, Foxconn, Oracle, Accenture, DHL, Infosys, and Fortinet, as well as government agencies and critical infrastructure sectors. Notably, four organizations spanning Japan, Taiwan/Vietnam, Iraq, and Turkey were fully compromised, with a Turkish NATO defense contractor suffering exfiltration of classified defense documents.
Fortinet attributes the leak to exploited vulnerabilities and brute-force attacks, though the exact timeline of data collection remains unclear. Organizations using Fortinet devices are advised to assume compromise if their domains or IPs appear in the exposed dataset, requiring credential rotation, MFA enforcement, and system upgrades to mitigate further risks.
Source: https://www.helpnetsecurity.com/2026/06/18/fortinet-fortibleed-data-leak/
Samsung Electronics cybersecurity rating report: https://www.rankiteo.com/company/samsung-electronics
Foxconn cybersecurity rating report: https://www.rankiteo.com/company/foxconn
Oracle Security cybersecurity rating report: https://www.rankiteo.com/company/oracle-security
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
DHL cybersecurity rating report: https://www.rankiteo.com/company/dhl
"id": "SAMFOXORAFORDHL1781785487",
"linkid": "samsung-electronics, foxconn, oracle-security, fortinet, dhl",
"type": "Breach",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Technology',
'name': 'Samsung',
'type': 'Corporation'},
{'industry': 'Industrial Manufacturing',
'name': 'Siemens',
'type': 'Corporation'},
{'industry': 'Electronics Manufacturing',
'name': 'Foxconn',
'type': 'Corporation'},
{'industry': 'Technology',
'name': 'Oracle',
'type': 'Corporation'},
{'industry': 'Consulting',
'name': 'Accenture',
'type': 'Corporation'},
{'industry': 'Logistics',
'name': 'DHL',
'type': 'Corporation'},
{'industry': 'IT Services',
'name': 'Infosys',
'type': 'Corporation'},
{'industry': 'Cybersecurity',
'name': 'Fortinet',
'type': 'Corporation'},
{'industry': 'Defense',
'location': 'Turkey',
'name': 'Turkish NATO defense contractor',
'type': 'Government/Defense'},
{'industry': 'Government',
'location': ['Japan', 'Iraq', 'Taiwan/Vietnam'],
'type': 'Government Agency'},
{'type': 'Critical Infrastructure'}],
'attack_vector': ['Brute-force attack', 'Exploited vulnerabilities'],
'data_breach': {'data_exfiltration': 'Yes (e.g., Turkish NATO defense '
'contractor)',
'number_of_records_exposed': '73,932 unique firewall URLs',
'sensitivity_of_data': 'High (includes credentials, '
'classified documents, and sensitive '
'configurations)',
'type_of_data_compromised': ['Credentials',
'Configuration files',
'Classified defense documents']},
'description': 'A Russian-speaking cybercriminal group inadvertently exposed '
'credentials from nearly 74,000 Fortinet firewalls and VPN '
'gateways worldwide after leaving the data unsecured on a '
'server. The breach, discovered by security researcher '
'Volodymyr “Bob” Diachenko, included configuration files '
'containing sensitive information obtained through automated '
'large-scale harvesting, intercepting SSL VPN authentication '
'hashes, and cracking them using a 45-GPU cluster. The leaked '
'data impacts high-profile organizations, government agencies, '
'and critical infrastructure sectors, with some entities '
'suffering full compromise and data exfiltration.',
'impact': {'brand_reputation_impact': 'High (impacted high-profile '
'organizations and critical '
'infrastructure)',
'data_compromised': '73,932 unique firewall URLs with credentials',
'identity_theft_risk': 'High (exposure of credentials and '
'sensitive data)',
'operational_impact': 'Potential unauthorized access to Active '
'Directory environments and classified '
'documents',
'systems_affected': 'Fortinet firewalls and VPN gateways'},
'initial_access_broker': {'entry_point': 'Exposed FortiGate Management '
'Interface'},
'post_incident_analysis': {'corrective_actions': ['Adopt PBKDF2 with '
'randomized salt',
'Enforce MFA',
'Rotate credentials',
'Upgrade systems'],
'root_causes': ['Weak password storage (SHA-256 '
'with salt)',
'Exposed management interfaces',
'Lack of MFA enforcement']},
'recommendations': ['Assume compromise if domain/IP appears in exposed '
'dataset',
'Rotate credentials',
'Enforce MFA',
'Upgrade systems to use PBKDF2 with randomized salt'],
'references': [{'source': 'Volodymyr “Bob” Diachenko'},
{'source': 'Kevin Beaumont'},
{'source': 'Hudson Rock'}],
'response': {'remediation_measures': ['Credential rotation',
'MFA enforcement',
'System upgrades']},
'threat_actor': 'Russian-speaking cybercriminal group',
'title': 'Russian Cybercriminal Group Exposes 74,000 Fortinet Firewall '
'Credentials in Massive Leak',
'type': 'Data Breach',
'vulnerability_exploited': ['Weak password storage (SHA-256 with salt)',
'Exposed FortiGate Management Interface']}