Cybercriminal Gang Just Leaked 500,000 Fortinet VPN Users’ Passwords

Cybercriminal Gang Just Leaked 500,000 Fortinet VPN Users’ Passwords
Photo: KIRILL KUDRYAVTSEV/AFP, Getty Images

A hacker gang has allegedly collected and dumped a large trove of approximately 500,000 login credentials belonging to users of a popular VPN product from cybersecurity firm Fortinet.

The threat actor, who goes by the moniker of “Orange,” apparently leaked the trove of usernames and passwords on a dark web forum on Tuesday, Bleeping Computer has reported. While cybercriminals will often try to sell such data or use it for their own nefarious purposes, Orange apparently posted the large haul of information for free.

The accounts are believed to have been compromised via a previously discovered vulnerability in the product. In April, federal agencies warned of multiple security flaws in Fortinet’s VPN that could allow hackers access. The company has since been issued patches for those security flaws — though that apparently did not stop droves of users from having their account information compromised.

According to research from security firm Advanced Intel, Orange is thought to be a member of the ransomware gang “Groove.” They are reputed to have also previously worked for Babuk, a prominent ransomware gang that attempted to extort the Washington D.C. Metropolitan police department for millions of dollars earlier this year.

Groove recently launched a new cybercrime forum called RAMP and researchers have theorised that the gang may have leaked the VPN accounts as a way of drawing attention to their new business venture.

Virtual private networks, meant to protect a user’s confidential data and web activity, can become a privacy nightmare if somebody compromises them. In this case, access to Fortinet VPN accounts would likely allow cybercriminals to infiltrate networks, steal data, or worse. Unfortunately, the threat actor responsible for the leak has claimed that many of the credentials are still valid.

The credentials are reportedly tied to 498,908 users and 12,856 devices — the likes of which are sourced from as many as 74 different countries. The largest share of credentials comes from India, though Italy, France, and Israel also have sizable shares.

Fortinet, which sells a number of security products, hasn’t yet commented on the leak. We reached out to the company for comment and will update this story if they respond.