FortiBleed: 73,000 Fortinet VPN Credentials Exposed — What Your Business Needs to Do Right Now

If your organization runs a Fortinet FortiGate firewall — and hundreds of thousands of businesses do — you need to read this carefully. A newly discovered data leak dubbed “FortiBleed” has exposed what appears to be working VPN credentials for nearly 74,000 FortiGate firewall devices worldwide. This is not a theoretical risk. Independent researchers have confirmed the data is real.

What Happened

Security researcher Bob Diachenko discovered an open server containing a massive collection of Fortinet VPN credentials, including usernames, email addresses, and plaintext passwords for 73,932 unique firewall URLs spanning 194 countries. The exposed dataset was then independently analyzed by threat intelligence firm Hudson Rock, which confirmed its scope and published findings describing FortiBleed as one of the largest known collections of compromised Fortinet-related credentials ever uncovered.

Well-known cybersecurity researcher Kevin Beaumont reviewed portions of the data and confirmed its authenticity: “The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data.”

Among the organizations appearing in the FortiBleed dataset, according to Hudson Rock, are major corporations spanning telecom, financial services, IT, healthcare, government, and manufacturing sectors — household names from across the globe.

How the Attackers Executed the FortiBleed Operation

This was not a smash-and-grab. Based on artifacts left exposed on the same server, Diachenko pieced together a picture of a sophisticated, Russian-speaking, multi-operator threat group running an industrial-scale credential harvesting operation behind FortiBleed:

• Approximately 1.16 billion credential attempts were made against over 320,000 FortiGate targets
• Attackers intercepted SSL VPN authentication hashes and cracked them using a 45-GPU cluster managed through Hashtopolis
• The recovered credentials were then used to move laterally into internal Active Directory environments
• The dataset included annotations listing each target organization’s industry, revenue, and employee count — almost certainly used to prioritize high-value victims

Beaumont’s analysis adds a critical detail: the exposed credentials in FortiBleed appear to have originated from exported Fortinet configuration files, not just brute-forced login attempts. This means the attackers achieved a much deeper level of access than a simple login.

Beaumont also noted that based on Shodan data, the FortiBleed leaked dataset represents roughly half of all internet-accessible Fortinet firewalls. Let that sink in.

This Is Not the 2025 Belsen Group Leak

Some organizations may recall the January 2025 Belsen Group incident, in which configurations and VPN credentials for 15,000 FortiGate devices were leaked. FortiBleed is different — and significantly worse. Beaumont confirmed the affected IP addresses in the FortiBleed dataset are distinct from those in the earlier incident, indicating this is a separate, more recent, and considerably larger compromise. Many of the affected devices in FortiBleed were running relatively current FortiOS versions, which means patching alone is not sufficient.

Why This Matters Even if You Think You’re Patched

One aspect of the FortiBleed leak that deserves serious attention: many of the exposed passwords were long and complex — the kind that would ordinarily be considered strong. This was not a case of organizations using weak passwords. The attackers overcame credential complexity through massive computational power and configuration-level access.

If your organization’s FortiGate was reachable from the internet and credentials were in scope, the strength of those credentials may have been irrelevant. The real question is whether they were harvested through FortiBleed — not whether they were hard to guess.

Immediate Actions Every Business Must Take After FortiBleed

1. Check Hudson Rock’s Free Lookup Tool Hudson Rock has published a free FortiBleed lookup tool at hudsonrock.com/fortinet where you can check whether your organization’s firewall URLs appear in the dataset. Start here.
2. Immediately Rotate All Fortinet Credentials Rotate every password associated with your FortiGate VPN and administrative interfaces — not just the ones you think might be affected. Assume all FortiGate credentials are potentially compromised until proven otherwise.
3. Enforce MFA on All VPN and Administrative Access If you are not already requiring multi-factor authentication on your FortiGate VPN and admin console, implement it immediately. MFA does not prevent credential theft, but it dramatically raises the bar for credential use after incidents like FortiBleed.
4. Audit Your FortiGate Management Interface Exposure A significant portion of the affected devices expose their FortiGate management interfaces directly to the internet. There is no defensible reason for this in most modern environments. Management interfaces should be restricted to internal networks or accessed only via a secure jump host or VPN.
5. Review Gateway Logs for Lateral Movement Pull your FortiGate authentication logs and examine them for anomalous access patterns, off-hours authentications, or logins from unusual geographies. Look specifically for evidence of lateral movement into Active Directory.
6. Monitor for Exposed Employee Credentials The FortiBleed dataset includes email addresses pulled from device configurations. Those same email addresses may have associated credentials circulating in dark web markets. Running a dark web credential scan for your organization’s domain is highly recommended right now.

The Bigger Picture: Why Perimeter Devices Are Prime Targets

FortiBleed serves as a stark reminder that perimeter security devices are high-value targets precisely because they sit at the edge of everything. Your firewall is not just a security control — it is also a credential store, a configuration repository, and a launchpad for network-wide access. When it’s compromised, the attacker doesn’t just get through the gate. They get the keys to everything behind it.

Beyond immediate credential rotation and MFA enforcement, organizations should consider implementing more advanced controls: regular configuration backups with integrity checking, automated exposure monitoring, zero-trust network architecture principles, and continuous logging with behavioral analytics.

The speed at which threat actors move after major leaks like FortiBleed means delayed response can be catastrophic. Attackers are already scanning for vulnerable devices and testing stolen credentials across the internet.

If you’re running FortiGate devices and are unsure whether your organization is affected, or if you need expert help assessing your exposure and hardening your edge infrastructure, Black Belt Secure’s team is ready to help.

Contact us today — because the organizations that act decisively now are the ones that avoid the breach notice later.