74,000 Fortinet Firewall Credentials Exposed in “FortiBleed” Data Leak
What Happened — A Russian‑speaking cyber‑criminal group published configuration files from roughly 74 000 Fortinet firewalls and VPN gateways, revealing admin usernames and passwords. The data, accidentally left on a public server, spans 194 countries and includes devices that still store passwords with a weak SHA‑256‑based scheme. Researchers confirmed the credentials are valid and have been used to pivot into internal Active Directory environments.
Why It Matters for Compliance & Audit Readiness
- SOC 2 CC6.1 (Logical Access) mandates controls that prevent unauthorized use of privileged accounts; exposed firewall credentials constitute a direct breach of that control.
- Continuous monitoring of privileged‑access logs and credential‑management processes supplies the audit evidence needed to demonstrate remediation and due‑diligence.
- The incident highlights the necessity of a formal credential‑rotation policy and regular verification that legacy devices meet current password‑storage standards.
Who Is Affected — Enterprises across technology, manufacturing, logistics, and government sectors; notable victims include Samsung, Siemens, Oracle, Accenture, DHL, Infosys, and several critical‑infrastructure agencies.
Recommended Actions
- Run the Hudson Rock lookup tool against your IP ranges; treat any match as a compromise.
- Immediately rotate all Fortinet admin passwords and enforce PBKDF2‑based storage.
- Review and restrict internet‑facing management interfaces on firewalls (disable remote admin UI where possible).
- Audit privileged‑access logs for anomalous logins and enforce MFA on VPN/SSL portals.
- Document the incident‑response steps to satisfy SOC 2 evidence requirements. Source: Help Net Security
Technical Notes — The group harvested credentials by intercepting SSL‑VPN authentication hashes, cracking them on a 45‑GPU Hashtopolis cluster, and exploiting devices that still used SHA‑256 with static salt. The leak includes both recently patched devices and older configurations. Source: Help Net Security