**CISA** has sounded the alarm for **Fortinet** users worldwide, urging them to harden their devices after a massive data leak dubbed "FortiBleed." This incident has revealed credentials for approximately 74,000 Fortinet firewalls and VPN gateways. "CISA is aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials," the agency stated. "This activity, referred to as FortiBleed, involves the exposure of leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and virtual private network (VPN) gateways." ### CISA's Mitigation Recommendations In response to the threat, **CISA** has provided a comprehensive list of recommendations for affected **FortiGate** appliance owners: * Terminate all SSL VPN and administrative sessions. * Reset all VPN and administrative passwords. * Enable phishing-resistant multifactor authentication (MFA). * Review logs meticulously for any signs of unauthorized access or lateral movement. * Store administrative credentials using the modern Password-Based Key Derivation Function 2 (**PBKDF2**) hashing algorithm. * Restrict firewall management interfaces from public internet access. * Remove any unauthorized accounts to reduce the attack surface. ### FortiBleed: Details of the Leak The "FortiBleed" data leak was brought to light by security researcher **Volodymyr "Bob" Diachenko**. He discovered a server containing what appeared to be valid **Fortinet** VPN credentials, including usernames, email addresses, and plaintext passwords for 73,932 firewall URLs globally. The exposed data further includes each organization's industry, revenue, and employee count, suggesting a compilation designed to facilitate future targeted attacks. Threat intelligence firm **Hudson Rock**, which also analyzed the dataset, described it as one of the largest known collections of compromised **Fortinet** credentials. It spans 21,632 unique domains across 194 countries. Among the high-profile organizations potentially affected are **Samsung**, **Mercedes-Benz**, **Foxconn**, **Chevron**, **Comcast**, **AT&T**, and **Toyota**, alongside numerous government agencies and critical infrastructure operators in sectors like telecommunications, healthcare, financial services, and manufacturing. The countries with the highest number of affected devices include India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates.  *Fortinet credentials found on an exposed server (Volodymyr Diachenko)* ### Link to Russian-Speaking Threat Group **Diachenko** has also indicated that the operation appears to be linked to a Russian-speaking threat group. This group allegedly conducted approximately 1.16 billion credential attempts against over 320,000 **FortiGate** targets, aiming to intercept SSL VPN authentication hashes. The precise source of the configuration data remains under investigation. Cybersecurity expert **Kevin Beaumont** independently confirmed the authenticity of some of the credentials, noting that most of the affected devices remain online. "The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data," **Beaumont** stated, suggesting the leaked data likely originated from **Fortinet** configuration files. The exact method of data exfiltration is still unclear, with possibilities ranging from the exploitation of previously disclosed **Fortinet** vulnerabilities, a newly discovered security flaw, or other attack vectors. **Hudson Rock** has made a free **FortiBleed** lookup tool available to help organizations determine if they are affected. This incident follows recent reports from **Defused** regarding active exploitation of critical vulnerabilities in **Fortinet's FortiSandbox** cyber threat detection platform. **CISA** currently tracks 26 **Fortinet** security flaws that have been exploited in the wild in recent years, with 13 of these being leveraged in ransomware attacks.