What happened
A newly discovered data leak dubbed “FortiBleed” has exposed what appears to be a massive collection of Fortinet and FortiGate VPN credentials tied to 73,932 firewall URLs worldwide.
The leak was discovered by security researcher Bob Diachenko, who found an exposed server containing usernames, email addresses, and plaintext passwords associated with Fortinet VPN devices. The dataset included organizations across a wide range of industries and geographies.
The dataset contains credentials linked to 73,932 unique firewall URLs across 194 countries and impacts 21,632 unique domains. Organizations appearing in the dataset reportedly include major enterprises, government agencies, critical infrastructure operators, telecommunications providers, manufacturers, healthcare organizations, and financial services firms.
Researchers found evidence suggesting the operators behind the credential collection conducted large-scale attacks against Fortinet VPN infrastructure. Diachenko reported that the exposed files referenced approximately 1.16 billion credential attempts against more than 320,000 FortiGate targets.
Cybersecurity researcher Kevin Beaumont independently reviewed portions of the leaked data and said some of the credentials appear authentic. Beaumont also reported that many of the affected devices remain online and that the dataset appears to be recent.
One notable aspect of the leak is that many of the exposed passwords were long and complex, leading researchers to believe the credentials may have originated from exported Fortinet configurations rather than simple password guessing alone.
The original source of the configuration data remains unknown. Researchers have not determined whether the information was obtained through previously disclosed vulnerabilities, a new flaw, credential harvesting operations, or another compromise method.
After publication of the findings, Fortinet stated that its investigation indicates the exposed credentials are a resharing of information obtained through previous incidents and brute-force attacks and are not connected to a newly disclosed vulnerability, breach, or security advisory.
Who is affected
Organizations using Fortinet firewalls and FortiGate VPN infrastructure may be affected if their devices appear in the leaked dataset.
According to analysis, the leak impacts organizations across 194 countries and nearly every major industry sector. Telecommunications, IT services, financial services, government organizations, healthcare providers, educational institutions, and manufacturing companies are among the most represented sectors.
The dataset reportedly includes credentials associated with both VPN access and administrative interfaces, creating potential risk for unauthorized access to perimeter infrastructure and internal networks.
Organizations whose credentials remain valid may face elevated risk of unauthorized VPN access, administrative compromise, lateral movement, and credential-based attacks.
Why CISOs should care
This is one of the largest publicly reported collections of Fortinet-related credentials to date. If valid credentials remain active, attackers may be able to bypass many traditional perimeter defenses without exploiting software vulnerabilities.
The incident also highlights the long-term risk of credential compromise. Fortinet stated that the exposed data appears to be a combination of information from previous incidents and credential-harvesting activity rather than a new vulnerability. Even so, organizations that fail to rotate credentials after past compromises may remain exposed years later.
The possibility that configuration exports contributed to the dataset is also significant. Firewall configurations can contain sensitive operational details, user accounts, email addresses, VPN settings, and administrative credentials that provide attackers with valuable intelligence for follow-on attacks.
For CISOs, the key lesson is that credential security remains as important as vulnerability management. Strong passwords alone are not sufficient if credentials are stolen, harvested, or extracted from configuration files.
3 practical actions
- Rotate Fortinet VPN and administrative credentials immediately: Organizations using Fortinet devices should reset passwords associated with VPN access and administrative accounts, especially if those credentials have been in use for extended periods.
- Enforce multifactor authentication across all remote access services: Even if credentials are exposed, MFA can significantly reduce the likelihood of successful unauthorized access to VPN and management interfaces.
- Review firewall and VPN logs for signs of suspicious activity: Security teams should examine authentication logs, administrative access events, unusual login locations, and evidence of unauthorized VPN sessions that may indicate compromised credentials have been used.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.