74,000 Fortinet Logins Spill in FortiBleed Data Leak

73,932 Fortinet firewall URLs were listed with usernames, email addresses, and plaintext passwords in the FortiBleed leak, prompting CISA to urge customers to lock down exposed firewalls and VPN gateways immediately.

The warning follows reports that attackers used compromised credentials to target internet-accessible Fortinet devices across government and private-sector organizations worldwide, according to BleepingComputer.

CISA says FortiBleed exposed credentials tied to about 74,000 Fortinet devices

CISA said the activity, referred to as FortiBleed, involves leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and VPN gateways.

“CISA is aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials,” the agency said.

The agency’s alert focuses on FortiGate appliances and associated SSL VPN gateways, the systems many organizations use to control remote access and sit at the network edge. That placement makes leaked credentials especially dangerous. A valid login can put an attacker at the front door of an internal network, not just inside a single application.

CISA’s advice is blunt: terminate all active SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant MFA, review logs, restrict management interfaces from the public internet, and remove unauthorized accounts.

The agency also told customers to confirm use of Password-Based Key Derivation Function 2 (PBKDF2) for administrator credential storage and remove weaker legacy hashes under Fortinet’s guidance.

21,632 domains and 194 countries appear in the FortiBleed dataset

Security researcher Volodymyr “Bob” Diachenko found a server containing what appeared to be valid Fortinet VPN credentials. The exposed data included usernames, email addresses, and plaintext passwords for 73,932 firewall URLs worldwide, BleepingComputer reported.

The dataset also contained each organization’s industry, revenue, and employee count. Diachenko said that information appeared to be compiled to help plan future attacks.

Threat intelligence firm Hudson Rock analyzed the data and described it as one of the largest known collections of compromised Fortinet credentials. It said the leak spans 21,632 unique domains and 194 countries.

Named organizations represented in the dataset include Samsung, Mercedes-Benz, Foxconn, Chevron, Comcast, AT&T, and Toyota, along with government agencies and critical infrastructure operators across telecommunications, healthcare, financial services, and manufacturing.

The highest number of affected devices were in India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates.

FortiBleed turns valid logins into a network-edge problem

The FortiBleed risk is not framed as a single confirmed zero-day. Integrity360’s advisory said the campaign is “not a single CVE or confirmed zero-day flaw,” but instead an active credential exposure and exploitation campaign using reused and potentially exposed credentials at scale.

That distinction matters. Patching alone won’t fix an active password that still works.

Diachenko also said the operation was conducted by a Russian-speaking threat group that allegedly carried out approximately 1.16 billion credential attempts against more than 320,000 FortiGate targets to intercept SSL VPN authentication hashes.

Cybersecurity expert Kevin Beaumont said he independently confirmed the authenticity of some credentials and noted that most affected devices remain online.

“The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data,” Beaumont said, according to BleepingComputer.

The source of the configuration data remains unknown. BleepingComputer reported that it is unclear whether the data was stolen through exploitation of previously disclosed Fortinet vulnerabilities, a newly discovered flaw, or another method.

Fortinet users should rotate credentials, kill sessions, and review logs now

CISA’s response steps read like an emergency credential reset playbook, not a routine maintenance notice.

Organizations with impacted Fortinet systems should immediately:

• Terminate sessions: End all active SSL VPN and administrative sessions.
• Reset credentials: Change all Fortinet VPN and administrative passwords, especially on internet-facing systems.
• Enforce MFA: Require phishing-resistant MFA on remote access and administrative accounts.
• Review logs: Check firewall, VPN, authentication, and domain controller logs for lateral movement, unusual access, suspicious accounts, or unauthorized configuration changes.
• Lock down interfaces: Keep firewall administration off the public internet and restrict Fortinet management interfaces to trusted internal networks.
• Remove accounts: Disable unauthorized or unnecessary accounts.
• Check hashing: Confirm administrator credentials are stored with PBKDF2 and remove weaker legacy hashes.

Hudson Rock has also created a free FortiBleed lookup tool to help organizations check whether they are affected.

For security teams, the hard part is proving whether valid credentials were already used. CISA’s recommended log review points directly at that problem. Teams need to look for unusual VPN logins, new admin users, configuration changes, unexpected access patterns, and signs of lateral movement.

Log retention and alerting discipline now matter. For separate operational context, XOOMAR has covered how storage and detection decisions can strain teams in Budget Bomb Hides Inside SIEM Data Ingestion Costs and how lean teams compare options in Best SIEM Tools That Won't Drown Lean Security Teams.

CISA tracks 26 exploited Fortinet flaws, but FortiBleed’s source is still unresolved

BleepingComputer reported that CISA tracks 26 Fortinet security flaws exploited in the wild in recent years, including 13 abused in ransomware attacks. Separately, threat intelligence company Defused reported that several critical vulnerabilities in Fortinet’s FortiSandbox cyber threat detection platform are now exploited in attacks.

That history raises the stakes, but it does not answer the central FortiBleed question: where did this credential and configuration data come from?

The next useful disclosures would be concrete indicators of compromise, affected product details, guidance from Fortinet, and clearer evidence about how many leaked credentials still work. Until then, the practical path is narrower and urgent: rotate credentials, terminate sessions, lock down management access, and hunt through logs before attackers do it for you.

Impact Analysis

• Leaked plaintext credentials could give attackers direct access to Fortinet firewalls and VPN gateways.
• CISA’s warning affects both government and private-sector organizations using internet-exposed Fortinet devices.
• Immediate password resets, MFA, log reviews, and restricted management access can reduce the risk of network compromise.