FortiBleed Leak Exposes 74,000 Fortinet Firewall Credentials in Plaintext

Security researchers have uncovered a massive cache of stolen credentials for Fortinet firewalls, exposing login details for tens of thousands of organizations worldwide. The dataset, dubbed FortiBleed, contains plaintext usernames, emails, and passwords for 73,932 unique Fortinet FortiGate firewall and VPN devices across 194 countries.

The data was accidentally exposed by a Russian-speaking cybercriminal group on a server, along with other artifacts and tools. Security researcher Volodymyr “Bob” Diachenko noticed the exposure and raised the alarm last weekend. Other researchers have since analyzed the dataset, which touches more than 21,000 domains.

How the Attack Worked

The attackers did not exploit a zero-day vulnerability. Instead, they used old passwords obtained from previous breaches or brute-force attacks against Fortinet devices that had not been patched or had weak credentials. The stolen configuration files contained plaintext credentials, making them immediately usable for further attacks.

• 73,932 unique Fortinet FortiGate firewall and VPN devices were compromised.
• The data spans 194 countries and affects more than 21,000 domains.
• Credentials were stored in plaintext within configuration files, a known security risk.
• The leak was accidental, caused by the group's own server misconfiguration.
• Researchers estimate that around 75,000 users may have been affected.

Implications for Organizations

The FortiBleed leak highlights a persistent problem: organizations failing to change default passwords or apply security patches. Fortinet has issued advisories in the past urging customers to rotate credentials and enable multi-factor authentication. However, many devices remain vulnerable due to poor security hygiene.

Organizations listed in the leak should immediately rotate all firewall and VPN credentials, audit their configurations for plaintext passwords, and enable multi-factor authentication. They should also check for signs of unauthorized access, as the exposed credentials could be used to pivot into internal networks.

Security researchers are working with affected organizations to mitigate the damage. The incident serves as a reminder that even sophisticated attacks often rely on basic security failures. Fortinet has not yet issued a formal statement on the FortiBleed leak, but customers are advised to follow best practices for device security.