A Russian-speaking threat group cracked admin credentials for 73,932 FortiGate firewall URLs spanning 194 countries, then accidentally exposed their own operation on an open server.
Security researcher Bob Diachenko found the server first. It contained usernames, email addresses, and plaintext passwords, plus comments cataloging each target organization’s industry, revenue, and employee count. That last detail signals structured reconnaissance, not opportunistic credential dumping.
The mechanics were industrial. Attackers intercepted FortiGate SSL VPN authentication hashes, cracked them using a 45-GPU cluster managed through Hashtopolis, and processed 1.16 billion credential attempts against 320,777 FortiGate targets. An additional 2.1 billion attempts targeted 163,650 Microsoft SQL Server systems. A Turkish NATO defense contractor was among those fully compromised, with classified documents allegedly stolen.
Hudson Rock, which received the dataset from Diachenko and published independent analysis, confirmed 21,632 unique domains appear in the records. Names in the collection include Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, and Oracle, spanning telecommunications, healthcare, and government.
This dataset dwarfs the 2025 Belsen Group leak, and Kevin Beaumont confirmed it’s authentic after independent review. Beaumont also noted the collection represents approximately half of all internet-accessible Fortinet firewalls, most with management interfaces exposed directly to the public internet. That’s an administrative choice that organizations made; it’s still their choice to reverse.
The data origin remains unknown. Hudson Rock’s free FortiBleed lookup tool lets affected organizations check whether they appear in the dataset before the next move.
Rebecca Lauren