FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices.
The FortiBleed leak is a large-scale data exposure involving Fortinet and FortiGate VPN credentials for approximately 73,932 firewall URLs worldwide. The leaked data includes usernames, email addresses, and plaintext passwords, apparently extracted from Fortinet device configurations. The leak affects organizations across multiple industries and countries, with some devices still online and accessible. The source of the leak is unknown, and it is unclear whether it stems from a vulnerability or other methods. Threat actors reportedly used the credentials to conduct extensive brute force campaigns and lateral movement within networks. Several high-profile companies and government agencies are impacted. No official patch or fix has been confirmed at this time.
AI Analysis
Technical Summary
FortiBleed is a data leak exposing nearly 74,000 Fortinet and FortiGate VPN credentials, including plaintext passwords and usernames, apparently harvested from device configuration files. The leak was discovered by security researcher Bob Diachenko and analyzed by Hudson Rock and Kevin Beaumont, who confirmed the authenticity of the credentials and noted that many affected devices remain online. The attackers, linked to a Russian-speaking multi-operator group, conducted over a billion credential attempts against FortiGate devices and Microsoft SQL servers, cracked authentication hashes using GPU clusters, and used recovered credentials for lateral movement in internal networks. The leak includes detailed organizational data and affects a broad range of sectors globally. The exact method of data exfiltration remains unknown, with no direct attribution to known Fortinet vulnerabilities. Organizations are urged to rotate credentials and enforce multi-factor authentication.
Potential Impact
The leak exposes valid administrative and VPN credentials for tens of thousands of Fortinet devices worldwide, potentially allowing unauthorized access to affected networks. This exposure facilitates lateral movement within compromised environments and may lead to data theft, including classified information from sensitive organizations. The leak affects a wide range of industries and critical infrastructure sectors across nearly 200 countries. The presence of plaintext passwords and valid credentials significantly increases the risk of compromise. The scale and scope of the leak represent one of the largest known collections of Fortinet-related credentials, with many devices still accessible online.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations impacted by the FortiBleed leak should immediately rotate all Fortinet VPN and administrative interface passwords. Enforce multi-factor authentication (MFA) on all Fortinet devices and related services. Examine gateway and VPN logs for suspicious activity indicative of unauthorized access. Monitor for exposed employee credentials and consider additional network segmentation to limit lateral movement. Await official guidance from Fortinet for any patches or configuration changes addressing the root cause of the leak.
FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices.
Description
The FortiBleed leak is a large-scale data exposure involving Fortinet and FortiGate VPN credentials for approximately 73,932 firewall URLs worldwide. The leaked data includes usernames, email addresses, and plaintext passwords, apparently extracted from Fortinet device configurations. The leak affects organizations across multiple industries and countries, with some devices still online and accessible. The source of the leak is unknown, and it is unclear whether it stems from a vulnerability or other methods. Threat actors reportedly used the credentials to conduct extensive brute force campaigns and lateral movement within networks. Several high-profile companies and government agencies are impacted. No official patch or fix has been confirmed at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FortiBleed is a data leak exposing nearly 74,000 Fortinet and FortiGate VPN credentials, including plaintext passwords and usernames, apparently harvested from device configuration files. The leak was discovered by security researcher Bob Diachenko and analyzed by Hudson Rock and Kevin Beaumont, who confirmed the authenticity of the credentials and noted that many affected devices remain online. The attackers, linked to a Russian-speaking multi-operator group, conducted over a billion credential attempts against FortiGate devices and Microsoft SQL servers, cracked authentication hashes using GPU clusters, and used recovered credentials for lateral movement in internal networks. The leak includes detailed organizational data and affects a broad range of sectors globally. The exact method of data exfiltration remains unknown, with no direct attribution to known Fortinet vulnerabilities. Organizations are urged to rotate credentials and enforce multi-factor authentication.
Potential Impact
The leak exposes valid administrative and VPN credentials for tens of thousands of Fortinet devices worldwide, potentially allowing unauthorized access to affected networks. This exposure facilitates lateral movement within compromised environments and may lead to data theft, including classified information from sensitive organizations. The leak affects a wide range of industries and critical infrastructure sectors across nearly 200 countries. The presence of plaintext passwords and valid credentials significantly increases the risk of compromise. The scale and scope of the leak represent one of the largest known collections of Fortinet-related credentials, with many devices still accessible online.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations impacted by the FortiBleed leak should immediately rotate all Fortinet VPN and administrative interface passwords. Enforce multi-factor authentication (MFA) on all Fortinet devices and related services. Examine gateway and VPN logs for suspicious activity indicative of unauthorized access. Monitor for exposed employee credentials and consider additional network segmentation to limit lateral movement. Await official guidance from Fortinet for any patches or configuration changes addressing the root cause of the leak.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/","fetched":true,"fetchedAt":"2026-06-17T15:13:13.405Z","wordCount":1193}
Threat ID: 6a32b9899f87a2db0912e81e
Added to database: 6/17/2026, 3:13:13 PM
Last enriched: 6/17/2026, 3:13:22 PM
Last updated: 6/17/2026, 4:13:46 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.