⬇️
Key Takeaways
- More than 73,900 Fortinet and FortiGate firewall URLs were exposed in a leak tied to a large brute-force and hash-harvesting campaign.
- Evidence suggests attackers operated a long-running credential-cracking effort supported by a 45-GPU cluster.
- Analysts confirmed the dataset includes active passwords and detailed organizational profiles spanning global operations.
A server left openly reachable on the internet contained what a security researcher described as a sprawling collection of Fortinet and FortiGate VPN credentials. The dataset, known as FortiBleed, includes login information tied to 73,932 firewall URLs at organizations worldwide.
Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, and State Grid appeared in the dataset, alongside other organizations. The exposed database included comments detailing each organization's industry, revenue, and employee count, indicating the threat group cataloged victims in a structured manner to plan targeted attacks.
The researcher shared screenshots that included plaintext passwords, email addresses, and usernames that appeared valid. Initial findings described the discovery as part of a massive Fortinet and FortiGate brute-force and active exploitation campaign. One file alone listed 21,634 domain names.
Further analysis of inadvertently exposed directories revealed logs, cron job analytics, bash histories, and tooling from a Russian-speaking multi-operator threat group conducting credential harvesting. These files suggested attackers launched approximately 1.16 billion credential attempts against 320,777 FortiGate targets. They also attempted 2.1 billion authentication probes against 163,650 Microsoft SQL Server systems.
The threat actors intercepted SSL VPN authentication hashes, cracked them with a 45-GPU cluster orchestrated through Hashtopolis, and used working credentials to move laterally into internal Active Directory environments. This aligns with trends highlighted in the Verizon DBIR, which notes that stolen credentials remain a primary driver of network breaches. The widespread use of VPN appliances as entry points extends this vulnerability into infrastructure at the edge of corporate networks.
Threat intelligence company Hudson Rock, which received the dataset for analysis, described the collection as one of the largest known troves of compromised Fortinet-related credentials. Multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey were fully compromised, including a Turkish NATO defense contractor from which classified documents were allegedly stolen.
Security analysts have pointed to guidelines within NIST SP 800-53 that urge organizations to limit configuration file access and segment administrative interfaces away from untrusted networks. The IBM Cost of a Data Breach Report similarly notes that VPN appliances represent high-value targets because they bridge external connectivity with internal identity systems, meaning any exposed interface can grant considerable network leverage to unauthorized users.
Following the discovery, Hudson Rock released a lookup tool for organizations to check whether their Fortinet devices appear in the dataset. For affected security teams, immediate mitigation involves rotating passwords, reviewing VPN authentication logs, and evaluating internal networks for lateral movement.
The combination of high-volume brute-forcing and hash interception demonstrated by the FortiBleed exposure highlights the severe operational risks of internet-facing management interfaces. As threat groups orchestrate massive GPU clusters to crack intercepted credentials, organizations relying on SSL VPN devices must prioritize multi-factor authentication and strict access segmentation.
