Bob Diachenko's discovery and initial findings
Security researcher Bob Diachenko reported discovering a server that held what appeared to be valid Fortinet VPN credentials, including usernames, email addresses, and plaintext passwords. Diachenko shared screenshots and samples showing entries linked to major companies — Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes‑Benz, Toyota, Sinopec, State Grid — and said the exposed dataset included notes classifying each target's industry, revenue and employee counts, details he suggested were likely used to plan follow‑on intrusions.
Diachenko later described the operation as carried out by a Russian‑speaking, multi‑operator threat group that harvested credentials for FortiGate SSL VPN devices, according to additional files he says he examined on the same server.
Scale and the attackers' claimed techniques
Diachenko's analysis, as reported, claims the actors conducted roughly 1.16 billion credential attempts against 320,777 FortiGate targets and roughly 2.1 billion attempts against 163,650 Microsoft SQL Server systems. He said the threat actors intercepted SSL VPN authentication hashes, cracked them with a 45‑GPU cluster managed via Hashtopolis, and then used recovered credentials to move laterally into internal Active Directory environments.
Diachenko told BleepingComputer he obtained these operational artifacts after finding an open directory containing tooling, scripts, analytics from cron jobs, bash histories and logs — items he describes as left inadvertently exposed on the same server.
Hudson Rock's analysis and the global footprint
Threat intelligence firm Hudson Rock received the dataset from Diachenko and published its own analysis, describing the collection as one of the largest known troves of compromised Fortinet‑related credentials. Hudson Rock reports the dataset contains 73,932 unique firewall URLs across 194 countries and impacts 21,632 unique domains.
The company said the attackers kept detailed logs of successful compromises and assembled verified credentials for organizations across nearly every major industry sector. Hudson Rock listed apparent victims that include Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture and Oracle, and noted the dataset also names numerous government agencies and critical‑infrastructure operators.
Geographically, Hudson Rock found the highest numbers of affected devices in India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile and the United Arab Emirates. The most common sectors in the dataset were telecommunications, IT services, financial services, government organizations, healthcare providers, educational institutions and manufacturing.
Independent verification and the question of origin — Kevin Beaumont's review
Security researcher Kevin Beaumont independently reviewed portions of the dataset and confirmed some credentials are authentic. Beaumont said the dump contains roughly 75,000 Fortinet devices, that almost all remain online, and that many exposed management interfaces are reachable from the internet.
Beaumont reported that the data appears to have come from exported Fortinet configurations — the files included email addresses and other fields typically only available in device configs — and that the affected IP addresses differ from those in the 2025 Belsen Group Fortinet leak, which he said suggests this is a more recent, larger collection. He also noted many affected devices were running relatively recent FortiOS versions.
Neither Diachenko, Hudson Rock, nor Beaumont identified how the configuration data was originally obtained; the source remains unconfirmed in the material reviewed.
What this means for security teams, affected enterprises, and adversaries
- Security teams: The reporting urges immediate mitigation steps — rotate passwords for Fortinet VPN and administrative interfaces, enforce multifactor authentication (MFA), examine gateway logs for suspicious activity and monitor for exposed employee credentials. Hudson Rock built a free FortiBleed lookup tool to check whether an organization appears in the dataset.
- Affected enterprises and procurement leaders: The dataset names thousands of recognizable companies and sectors; organizations listed should assume credentials in the collection may be valid and act on the recommended rotations and log reviews. Hudson Rock and independent researchers noted that many affected devices remain online and publicly reachable.
- Adversaries: The leak, if genuine at scale, demonstrates capabilities to mass‑harvest, crack and catalog VPN and administrative credentials and to pivot into internal networks — a playbook the reporting links to brute‑force campaigns, hash interception and distributed cracking infrastructure.
BleepingComputer contacted Fortinet regarding the exposed dataset; the article indicated the outlet would update if Fortinet responds. Observers also flagged an unusual detail: many exposed passwords were long and complex, suggesting the dataset did not simply reflect weak credentials but rather the exfiltration of configuration data that stored high‑quality secrets in plaintext or otherwise accessible formats.
Conclusion: the FortiBleed collection, as described by Diachenko, Hudson Rock and independent reviewers, is notable both for its size — roughly 73,932 firewall URLs and about 75,000 Fortinet devices — and for the persistence of those devices on the internet. With the dataset still under analysis and the method of initial compromise unclear, organizations named in the files have concrete, immediate steps to reduce risk: rotate credentials, enable MFA, and hunt in logs. The larger question the evidence leaves open is how so many configuration records — some containing long, complex passwords — were collected in the first place and by whom.
