FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices
A data leak dubbed 'FortiBleed' has exposed VPN credentials for 73,932 Fortinet and FortiGate firewall URLs globally, posing immediate risk of unauthorized network access.
A newly discovered data leak dubbed 'FortiBleed' has exposed what appears to be a collection of Fortinet and FortiGate VPN credentials for 73,932 firewall URLs at organizations worldwide. The leaked data includes device IP addresses, usernames, and passwords, potentially allowing attackers to gain unauthorized access to affected networks. The scale of the leak suggests a coordinated credential-harvesting operation targeting Fortinet's widely deployed VPN infrastructure.
The leaked dataset was first identified by security researchers monitoring underground forums and data leak sites. According to the researchers, the credentials appear to have been collected through a combination of brute-force attacks, exploitation of known vulnerabilities, and possibly insider access. The data includes entries from organizations across multiple sectors, including government, finance, healthcare, and critical infrastructure.
Fortinet has not yet issued an official statement regarding the FortiBleed leak, but the company's security advisory team is reportedly investigating the incident. In the meantime, security experts are urging all organizations using Fortinet VPNs to immediately rotate credentials, enable multi-factor authentication (MFA), and review logs for signs of unauthorized access. The leak underscores the persistent threat posed by credential theft and the importance of robust authentication practices.
The FortiBleed incident follows a pattern of large-scale credential leaks targeting VPN appliances, which have become prime targets for attackers seeking persistent access to corporate networks. Earlier this year, a separate campaign compromised over 30,000 Fortinet devices in a credential-harvesting operation attributed to a Russian-speaking threat actor. While it is unclear if FortiBleed is related to that campaign, the overlap in targeting suggests a sustained interest in Fortinet infrastructure.
Organizations affected by the leak should also consider implementing network segmentation, monitoring for anomalous VPN usage, and conducting thorough forensic investigations to determine if any unauthorized access has occurred. The leak serves as a stark reminder that VPN credentials remain a critical attack surface, and that proactive security measures are essential to mitigate the risk of breach.
As the investigation into FortiBleed continues, the cybersecurity community is closely watching for any additional data dumps or threat actor claims. The incident highlights the ongoing challenge of securing remote access infrastructure in an era of widespread credential theft and automated exploitation.