Over 75,000 Fortinet device administrator credentials compromised (50% of the Fortinets facing the Internet per Shodan) via Hunt Intelligence, Inc, Volodymyr Diachenko, Hudson Rock and Kevin Beaumont.
A large-scale compromise of over 75,000 Fortinet device administrator credentials has been reported. The compromised credentials appear to be recent and include devices that are still online. The data was reportedly obtained from device configuration exports, containing sensitive information visible only from the devices themselves. This incident affects a significant portion of Fortinet firewall devices exposed to the internet, estimated at around 15% based on Shodan polling. The compromised devices include many with fairly recent patches. The source of this information is a Reddit post linking to a LinkedIn profile of a security researcher involved in the discovery.
AI Analysis
Technical Summary
Over 75,000 Fortinet device administrator credentials have been compromised, with the data likely obtained from exports of device configurations. The compromised devices are mostly Fortinet firewalls facing the internet, with many still online and including devices with recent patches. The data set is distinct from a previous leak involving 15,000 devices and covers a different set of IP addresses. The compromise affects approximately 15% of internet-facing Fortinet devices based on Shodan data. The information was shared by security researchers including Volodymyr Diachenko, Hunt Intelligence, Hudson Rock, and Kevin Beaumont, and disseminated via a Reddit cybersecurity post linking to a LinkedIn profile.
Potential Impact
The compromise exposes administrator credentials for a large number of Fortinet devices, potentially allowing unauthorized access to these devices. This could lead to unauthorized configuration changes, interception of network traffic, or further network compromise. The affected devices include many that are still operational and patched, indicating that the compromise is not limited to unpatched systems. The scale of the compromise suggests a widespread risk to organizations using Fortinet devices exposed to the internet.
Mitigation Recommendations
No official patch or fix is indicated as this is a credential compromise rather than a software vulnerability. Organizations should immediately rotate administrator credentials on Fortinet devices, especially those accessible from the internet. It is recommended to restrict or block internet access to Fortinet administrative portals where possible. Reviewing device and network logs for suspicious activity is advised. Use the Hudson Rock website referenced in the source to check if your organization's devices are affected. Follow any additional guidance from Fortinet and security researchers involved in this disclosure.
Over 75,000 Fortinet device administrator credentials compromised (50% of the Fortinets facing the Internet per Shodan) via Hunt Intelligence, Inc, Volodymyr Diachenko, Hudson Rock and Kevin Beaumont.
Description
A large-scale compromise of over 75,000 Fortinet device administrator credentials has been reported. The compromised credentials appear to be recent and include devices that are still online. The data was reportedly obtained from device configuration exports, containing sensitive information visible only from the devices themselves. This incident affects a significant portion of Fortinet firewall devices exposed to the internet, estimated at around 15% based on Shodan polling. The compromised devices include many with fairly recent patches. The source of this information is a Reddit post linking to a LinkedIn profile of a security researcher involved in the discovery.
Reddit Discussion
Credit to Volodymyr Diachenko, Hunt.io, Hudson Rock and Kevin Beaumont. I am not associated with any of these companies/people. I'm just spreading the gospel of these awesome people/companies.
This data is not from 2022, this appears to be new. Most of which are appear to still be online. I would run your company's domain through this awesome website Hudson rock setup located here. If you're on this list, I would consider rotating your admin credentials and restricting your Fortinet Admin portal from being accessible via the Internet and reviewing your environments logs.
More details here on massive credential compromise here.
Noteworthy takeaways below.
- The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data.
- The data appears to have come from exports of config from the devices, as it includes things which are only visible from the device itself.
- The IP addresses are largely different to the Belsen Group leak, which was 15k devices. It includes mostly devices not in the Belsen Group leak, and in this case most of the devices are still online — this isn’t data from 2022.
- I have worked with several orgs listed, and can confirm the logins and passwords are real. Many of the devices sampled are on fairly recent patches.
- The data comprises of roughly 15% of all Fortinet firewall devices facing the internet, based on polling from Shodan. *Previous claim was 50% per the article. I'm seeing closer to 15%.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Over 75,000 Fortinet device administrator credentials have been compromised, with the data likely obtained from exports of device configurations. The compromised devices are mostly Fortinet firewalls facing the internet, with many still online and including devices with recent patches. The data set is distinct from a previous leak involving 15,000 devices and covers a different set of IP addresses. The compromise affects approximately 15% of internet-facing Fortinet devices based on Shodan data. The information was shared by security researchers including Volodymyr Diachenko, Hunt Intelligence, Hudson Rock, and Kevin Beaumont, and disseminated via a Reddit cybersecurity post linking to a LinkedIn profile.
Potential Impact
The compromise exposes administrator credentials for a large number of Fortinet devices, potentially allowing unauthorized access to these devices. This could lead to unauthorized configuration changes, interception of network traffic, or further network compromise. The affected devices include many that are still operational and patched, indicating that the compromise is not limited to unpatched systems. The scale of the compromise suggests a widespread risk to organizations using Fortinet devices exposed to the internet.
Mitigation Recommendations
No official patch or fix is indicated as this is a credential compromise rather than a software vulnerability. Organizations should immediately rotate administrator credentials on Fortinet devices, especially those accessible from the internet. It is recommended to restrict or block internet access to Fortinet administrative portals where possible. Reviewing device and network logs for suspicious activity is advised. Use the Hudson Rock website referenced in the source to check if your organization's devices are affected. Follow any additional guidance from Fortinet and security researchers involved in this disclosure.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":38,"reasons":["external_link","newsworthy_keywords:compromised","established_author","recent_news"],"isNewsworthy":true,"foundNewsworthy":["compromised"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a32de45f198dc38c1d573dc
Added to database: 6/17/2026, 5:49:57 PM
Last enriched: 6/17/2026, 5:50:04 PM
Last updated: 6/17/2026, 8:14:20 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.