Hackers leak passwords for 500,000 Fortinet VPN accounts


Level 37
Thread author
Top poster
Feb 4, 2016
Both posts lead to a file hosted on a Tor storage server used by the Groove gang to host stolen files leaked to pressure ransomware victims to pay.
BleepingComputer's analysis of this file shows that it contains VPN credentials for 498,908 users over 12,856 devices.

While we did not test if any of the leaked credentials were valid, BleepingComputer can confirm that all of the IP address we checked are Fortinet VPN servers.
Further analysis conducted by Advanced Intel shows that the IP addresses are for devices worldwide, with 2,959 devices located in the USA.
Kremez told BleepingComputer that the Fortinet CVE-2018-13379 vulnerability was exploited to gather these credentials.
A source in the cybersecurity industry told BleepingComputer that they were able to legally verify that at least some of the leaked credentials were valid.


Level 16
Top poster
Oct 13, 2019
The vulnerability was over 2 years old when it was exploited. But as crazy as that sounds on the surface, in practice it's more complicated:
  • FortiNet OS updates are notorious for breaking things here and there. They do not do separate security patches vs OS updates (similar to how iOS is updated, you get a mix of security fixes and features). Companies that have complicated networking rules are often afraid of upgrading because of the long tail of issues that only get noticed during business hours.
  • Like most enterprise devices, you must pay a subscription fee to get access to software updates and support. If your contract expires, you lose access to these updates. If you want access again, you most often have to "back-pay" all the license payments you missed, plus an additional penalty. When money gets tight, it's tempting to skip renewing your enterprise network equipment licenses.... but once you do so, you dig yourself into a hole of debt that's hard to get out of.