- Researcher Bob Diachenko uncovers “FortiBleed,” a massive archive of 73,932 Fortinet/FortiGate VPN credentials from brute‑force and exploitation campaigns
- Data included plaintext usernames, emails, and passwords for major firms (Chevron, Samsung, Toyota, AT&T, NATO contractor, etc.), with billions of login attempts logged
- Fortinet says leak is a resharing of past incidents and brute‑forced data, urging password rotation and MFA to minimize risk
A database containing tens of thousands of login credentials for major global corporations was found sitting online, in one of the larger data leak incidents this year.
Security researcher Bob Diachenko posted a new report on LinkedIn, saying he discovered an archive of Fortinet and FortiGate VPN credentials, counting 73,932 firewall URLs.
“Massive Fortinet/FortiGate bruteforce/active exploitation campaign uncovered in action,” he said.
Fortinet responds
Diachenko named the campaign “FortiBleed”, and said the archive contained usernames, email addresses, and passwords (in plaintext) for companies such as Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, and State Grid.
“Thousands of top vendor instances are listed in the files like this (see screenshot). This one alone has 21,634 domain names – from Chevron to Fortinet itself. All – with potentially working passwords to the FortiGate appliances obtained through various means.”
Diachenko told BleepingComputer the archive was created by a Russian-speaking threat actor that’s been harvesting credentials for FortiGate SSL VPN instances. After analyzing the database, he concluded that the attackers brute-forced their way in, running more than 1.1 billion credential attempts against more than 320,000 FortiGate instances, as well as 2.1 billion attempts against 160,600+ Microsoft SQL Server systems.
Besides, they also nabbed SSL VPN authentication hashes which they later…
