Published on June 18, 2026
FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices
Severity
Medium
Detail
The dataset reportedly affects 21,632 unique domains, including organizations in telecom, IT services, finance, government, healthcare, education, manufacturing, and critical infrastructure. Researchers said some affected organizations include major global companies, and Malaysia is listed among the countries with a high number of affected devices. Kevin Beaumont independently reviewed parts of the dataset and said some admin logins and passwords were authentic, while BleepingComputer noted that many affected Fortinet devices are still online.
How?
Based on the artttackers allegedly targeted FortiGate SSL VPN devices through massive credential attacks and possible active exploitation. The exposed files reportedly showed around 1.16 billion credential attempts against 320,777 FortiGate targets. The attackers may have captured SSL VPN authentication hashes, cracked them using GPU infrastructure, and then used the recovered credentials to access internal networks such as Active Directory. However, the exact source of the leaked configuration data is not confirmed; it could be from known Fortinet vulnerabilities, a new flaw, stolen configs, or another compromise method.
Recommendation
To reduce the risk of unauthorized access, the following actions are recommended:
- Change all Fortinet VPN and admin passwords immediately.
- Enable MFA for VPN and administrator accounts.
- Update FortiOS to the latest secure version.
- Restrict FortiGate admin access to trusted IP addresses only.
- Review VPN and admin logs for suspicious login activity.
Source