Security researcher **Bob Diachenko** first discovered the exposed data, identifying a server containing what appeared to be valid **Fortinet** VPN credentials. The database reportedly lists entries for major corporations like **Chevron**, **Samsung**, **Foxconn**, **Comcast**, **AT&T**, **Mercedes-Benz**, and **Toyota**, among many others. ### Russian-Speaking Group Allegedly Behind Campaign **Diachenko** later linked the operation to a Russian-speaking multi-operator threat group. This group allegedly conducted an extensive credential-stuffing campaign, attempting approximately 1.16 billion login attempts against 320,777 **FortiGate SSL VPN** devices and an additional 2.1 billion attempts against 163,650 **Microsoft SQL Server** systems. The attackers reportedly intercepted **SSL VPN** authentication hashes, cracked them using a 45-GPU cluster managed through **Hashtopolis**, and then leveraged these credentials for lateral movement into internal **Active Directory** environments. **Diachenko** uncovered these details by analyzing additional files inadvertently left exposed on the same server, including tooling, scripts, and logs. ### Widespread Global Impact **Diachenko**'s investigation further revealed that multiple organizations in Japan, Taiwan, Vietnam, Iraq, and Turkey were fully compromised. This includes a Turkish **NATO** defense contractor from which classified documents were allegedly stolen.  Threat intelligence company **Hudson Rock** has also analyzed the dataset, describing it as one of the largest known collections of compromised **Fortinet**-related credentials. Their analysis confirms 73,932 unique firewall URLs across 194 countries and 21,632 unique domains. The dataset shows a detailed log of successful compromises, with verified credentials impacting nearly every major industry sector. **Hudson Rock** lists organizations such as **Foxconn**, **Samsung**, **Comcast**, **Siemens**, **Lenovo**, **PwC**, **Accenture**, and **Oracle** among those affected, alongside numerous government agencies and critical infrastructure operators. Countries with the highest number of affected devices include India, the United States, Taiwan, Mexico, Turkey, and Thailand. Common sectors impacted are telecommunications, IT services, financial services, government, healthcare, education, and manufacturing. ### Credentials Likely Extracted from Fortinet Configurations Cybersecurity researcher **Kevin Beaumont** independently reviewed portions of the exposed data, confirming the authenticity of several administrative logins and passwords. **Beaumont**'s findings suggest the data originated from exported **Fortinet** configurations, as it contains information like email addresses typically found within such files. He noted that the affected IP addresses differ from those in the 2025 **Belsen Group Fortinet** leak, indicating this is a new and more extensive compromise. **Beaumont** verified that many affected devices are running relatively recent **FortiOS** versions and that approximately half of all internet-accessible **Fortinet** firewalls are implicated, with a majority exposing their **FortiGate** management interfaces directly to the internet. The exact method by which the configuration data was initially obtained remains unclear, whether through previously disclosed vulnerabilities, a new exploit, or another vector. Neither **Diachenko**, **Hudson Rock**, nor **Beaumont** have identified the original source of the data. ### Immediate Action Required **Hudson Rock** has made a free **FortiBleed** lookup tool available for organizations to check if they are impacted. Organizations listed in the dataset, or those concerned about potential exposure, should immediately: * Rotate all passwords associated with **Fortinet** VPN and administrative interfaces. * Enforce Multi-Factor Authentication (MFA) across all relevant systems. * Thoroughly examine gateway logs for any suspicious activity. * Monitor for any exposed employee credentials. **Ghost Protocol** has reached out to **Fortinet** for comment and will update this article with any response received.