Become a TechRadar Insider
- Researcher Bob Diachenko uncovers “FortiBleed,” a massive archive of 73,932 Fortinet/FortiGate VPN credentials from brute‑force and exploitation campaigns
- Data included plaintext usernames, emails, and passwords for major firms (Chevron, Samsung, Toyota, AT&T, NATO contractor, etc.), with billions of login attempts logged
- Fortinet says leak is a resharing of past incidents and brute‑forced data, urging password rotation and MFA to minimize risk
A database containing tens of thousands of login credentials for major global corporations was found sitting online, in one of the larger data leak incidents this year.
Security researcher Bob Diachenko posted a new report on LinkedIn, saying he discovered an archive of Fortinet and FortiGate VPN credentials, counting 73,932 firewall URLs.
"Massive Fortinet/FortiGate bruteforce/active exploitation campaign uncovered in action," he said.
Fortinet responds
Diachenko named the campaign “FortiBleed”, and said the archive contained usernames, email addresses, and passwords (in plaintext) for companies such as Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, and State Grid.
"Thousands of top vendor instances are listed in the files like this (see screenshot). This one alone has 21,634 domain names - from Chevron to Fortinet itself. All - with potentially working passwords to the FortiGate appliances obtained through various means."
Diachenko told BleepingComputer the archive was created by a Russian-speaking threat actor that’s been harvesting credentials for FortiGate SSL VPN instances. After analyzing the database, he concluded that the attackers brute-forced their way in, running more than 1.1 billion credential attempts against more than 320,000 FortiGate instances, as well as 2.1 billion attempts against 160,600+ Microsoft SQL Server systems.
Besides, they also nabbed SSL VPN authentication hashes which they later cracked and used to log into Active Directory environments.
Multiple organizations around the world were “fully compromised”, Dianchenko also said, stressing that a Turkish NATO defense contractor was among them. This organization allegedly lost classified documents thanks to this breach.
Multiple security outfits confirmed the authenticity of the leak, including Hudson Rock and security researcher Kevin Beaumont.
Fortinet told the publication that the database is not from a new breach, but rather a collection of secrets stolen in previous incidents.
"Based on our analysis, the data involved is a resharing of data from previous incidents, as well as bruteforcing of credentials, and is not related to any recent incident or advisory. Organizations that follow routine best practices, including regularly refreshing security credentials, as per guidance in this March blog, face minimal risk from credential compromise detail referenced in the reporting,” Fortinet said. Still, it wouldn’t hurt to rotate any Fortinet VPN passwords and set up MFA wherever it’s possible and missing.
"Fortinet continues to investigate these reports with the security of our customers as our top priority.”
Via BleepingComputer
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.