A Russian-speaking, multi-operator cybercriminal group has published a verified credential dataset for approximately 75,000 Fortinet FortiGate SSL VPN devices spanning 194 countries. The dataset, dubbed FortiBleed by researchers, contains usernames, email addresses, and plaintext passwords for devices at organizations including Chevron, Samsung, AT&T, Toyota, and Foxconn. If your organization runs FortiGate VPN infrastructure, treat this as a probable exposure event until you confirm otherwise.
How the attack worked
FortiBleed is not a simple dump of a single breached database. It is the output of a multi-stage credential pipeline:
- The group scanned the internet for exposed FortiGate management and SSL VPN endpoints.
- They tested each endpoint against credential databases harvested from infostealer malware, sourced from credential markets.
- Where credentials passed basic validation, the attackers captured SSL VPN authentication hashes from the devices.
- The hashes were cracked offline using a 45-GPU cluster orchestrated through Hashtopolis, a distributed hash-cracking framework.
- The cracked plaintext credentials were compiled into the released dataset.
The scale is striking: approximately 1.16 billion credential attempts against over 320,000 FortiGate targets, plus a parallel 2.1 billion brute-force attempts against 163,650 MSSQL servers. This was not opportunistic scanning. It was a systematic industrial-scale credential harvesting operation.
The specific vulnerability or technique used to capture the hashes has not been confirmed. Fortinet has a history of SSL VPN credential exposure incidents (CVE-2022-40684, CVE-2023-27997, CVE-2024-21762 among others), and unpatched instances from prior vulnerability windows remain the most likely source. Arctic Wolf's primary research on the campaign includes detection indicators and attacker infrastructure details.
Why VPN credentials are particularly vulnerable
Web application credentials are typically hashed using slow algorithms designed to resist cracking (bcrypt, Argon2, scrypt). VPN appliances often store or transmit credentials in formats optimized for performance rather than cracking resistance. Fortinet SSL VPN credentials have historically been recoverable from configuration backups or intercepted during authentication exchanges using faster-crackable algorithms.
This makes VPN credentials a higher-value target than many teams assume. A leaked bcrypt hash from a web application breach may take years to crack even with GPU resources. A VPN authentication hash may be crackable in hours or days at scale.
The pattern is not new. The 2021 Pulse Secure mass exploitation campaign, the 2022 Fortinet configuration dump (50,000 devices), and the 2024 Fortinet credential leak follow the same arc: VPN appliances, large-scale hash interception or configuration theft, and offline cracking pipelines. FortiBleed is the 2026 iteration.
What to do now
- Rotate FortiGate administrative credentials and VPN user credentials immediately, regardless of whether you appear in the leaked dataset.
- Audit SSL VPN logs for authentication events from unusual IP ranges or geographies in the past 90 days.
- Enable MFA on all FortiGate VPN access. A stolen plaintext password is worthless against a hardware FIDO2 key or TOTP.
- Verify your FortiGate firmware is current, particularly for CVE-2024-21762 and any advisories published in 2025-2026.
- Review Arctic Wolf's FortiBleed post for detection queries and IoC lists specific to this campaign's infrastructure.
- If you use FortiGate credentials in shared password managers or SSO systems, rotate those downstream accounts as well.
The broader lesson
Every major VPN vendor, Fortinet, Pulse Secure, Cisco, Palo Alto, Check Point, has had credential exposure incidents in recent years. The common thread is that network perimeter appliances combine internet exposure with authentication formats that were not designed for a world where 45-GPU cracking clusters are a commodity. Perimeter VPN credentials should be treated as high-value targets with rotation schedules measured in months, not years.
If you are evaluating your remote access architecture: phishing-resistant MFA (FIDO2 passkeys or hardware keys) eliminates this attack class. A cracked password alone cannot complete authentication. Consider this when planning your next refresh cycle.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to discuss FortiBleed exposure assessment or VPN credential security posture.