A Russian-speaking cybercriminal group has stolen credentials contained in the configuration files of nearly 74,000 Fortinet firewalls and VPN gateways around the world.
The data was accidentally exposed by the group on a server, along with other artifacts and tools, and the exposure was noticed by security researcher Volodymyr “Bob” Diachenko.
He raised the alarm last weekend, and other researchers have since analyzed the exposed dataset.
“I have worked with several orgs listed, and can confirm the logins and passwords are real,” security researcher Kevin Beaumont said.
“Many of the devices sampled are on fairly recent patches. The data appears to have come from exports of config from the devices, as it includes things which are only visible from the device itself.”
How the credentials were compromised
According to Diachenko, the group conducts automated large-scale credential harvesting by intercepting SSL VPN authentication hashes, cracking them on a 45-GPU cluster managed via hashtopolisand uses the passwords to pivot into internal Active Directory environments.
Hudson Rock researchers say that the group successfully targeted 73,932 unique firewall URLs across 194 countries.
“In a majority of cases, the Fortigate Management Interface is exposed to the internet on impacted devices,” Beaumont noted.
While the 15,000+ FortiGate configuration files leaked in 2025 were harvested by exploiting vulnerabilities in the OS running on FortiGate appliances, Fortinet believes that this latest leak – dubbed FortiBleed – includes data collected during previous incidents and via brute-forcing.
Beaumont posited that while Fortinet strengthened how it stores passwords in early 2025 by switching to a more crack-resistant method (PBKDF2 with randomized salt), many devices still store credentials using the older, weaker method (SHA-256 with salt), which is vulnerable to cracking via brute-force attacks.
How to check if you’re affected
Hudson Rock launched a look-up tool for organizations to check whether their Fortinet credentials have been found in the data leak.
Many high-profile organizations are affected, including Samsung, Siemens, Foxconn, Oracle, Accenture, DHL, Infosys, and Fortinet. The list also includes many government agencies and organizations in critical infrastructure sectors.
“At least four organizations across Japan, Taiwan/Vietnam, Iraq, and Turkey were fully compromised — including a Turkish NATO defense contractor whose classified defense documents were exfiltrated,” Diachenko revealed.
Organizations using Fortinet firewalls and gateways should use the look-up tool and, if their domains and IP addresses are on the list, they should assume compromise and check for compromised accounts, backdoor users, and altered security controls.
If evidence of compromise is discovered, a full investigation is warranted.
The affected devices should be upgraded to the latest FortiOS release and their management interface pulled from the internet (if possible).
Credentials should be rotated, multi-factor authentication enforced on all accounts, and admins should log in to force the system to re-hash passwords using the more secure PBKDF2 standard, Hudson Rock advised.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
