FortiBleed — The 73,000+ Fortinet Firewall Credential Dump

What Is Happening?

In mid-June 2026, security researcher Volodymyr "Bob" Diachenko discovered a publicly exposed database containing administrator and VPN credentials for tens of thousands of Fortinet FortiGate firewalls. The campaign, now widely referred to as FortiBleed, has since been corroborated by threat intelligence firms Hudson Rock and SOCRadar, and independently verified by researcher Kevin Beaumont.

The scale is significant. Attackers targeted 73,932 unique firewall URLs across 194 countries, executing an estimated 1.16 billion credential-based attempts against more than 320,000 FortiGate devices. In parallel, the same group launched 2.1 billion brute-force attempts against over 160,000 MSSQL servers, resulting in more than 21,000 additional confirmed compromised domains.

FortiBleed is not a new vulnerability. It is an industrial-scale credential-stuffing operation that exploits a far more common problem: organisations that have never rotated their Fortinet passwords following earlier breaches.

How the Attack Works

The operation is fully automated. Threat actors scan the internet for exposed Fortinet firewalls and VPN gateways, then test each one against a curated credential list compiled from historical Fortinet breach data, infostealer malware logs, and previously leaked databases. Every successful login is recorded.

Once inside a device, the attackers do not simply take note and move on. They:

• Use the compromised firewall as a listening post, intercepting SSL VPN authentication hashes from active sessions passing through the device
• Crack those intercepted hashes offline using a dedicated 45-GPU cluster managed through the Hashtopolis framework
• Feed newly cracked passwords back into the scanning infrastructure, creating a self-reinforcing cycle of compromise
• Pivot directly into internal Active Directory environments to establish deep, persistent network footholds

One of the most troubling findings is that many of the compromised passwords were complex by conventional standards. Hudson Rock noted that credential complexity provides no meaningful protection when passwords already exist in an attacker's database — whether recovered through infostealer malware, prior device-level exploits, or legacy breach datasets.

Who Was Affected?

The confirmed victim list spans virtually every sector of the global economy. Named organisations include Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC, alongside thousands of government entities, critical infrastructure operators, and mid-market businesses. A Turkish NATO defense contractor is among the confirmed victims, with classified defense documents reportedly exfiltrated in the process.

Fortinet has responded publicly, stating that the data circulating online "is a resharing of data from previous incidents, as well as bruteforcing of credentials, and is not related to any recent incident or advisory." The company added that organisations following routine best practices, including regular credential rotation, face minimal risk from this campaign.

Independent researchers have confirmed the data is legitimate. Whether individual credentials originate from a prior breach or this campaign, the practical outcome is the same: a working, verified database of administrator access to tens of thousands of corporate and government firewalls.

What You Should Do

1. Rotate all Fortinet credentials immediately

   Reset administrator passwords and VPN user accounts on every FortiGate device exposed to the internet. Treat all credentials on internet-facing devices as compromised until proven otherwise. Prioritise privileged accounts first.
2. Enable multi-factor authentication

   Enable MFA on every Fortinet administrative interface and SSL VPN where supported. Stolen credentials alone cannot complete a login when MFA is in place.
3. Restrict management interface exposure

   Apply local-in policies to limit admin panel access to trusted internal IP ranges only. Fortinet management interfaces should never be directly reachable from the public internet.
4. Review access logs for signs of intrusion

   Look for anomalous admin sessions, logins from unexpected geographies, unusual outbound traffic volumes, and authentication events tied to accounts that should not be active.
5. Check your exposure against published indicators

   SOCRadar and Hudson Rock have both published IOC lists and lookup tools tied to the FortiBleed dataset. Cross-reference your public IP addresses and FortiGate serial numbers.
6. Assume breach posture for your VPN boundary

   Apply zero-trust principles: microsegmentation, least-privilege access, and continuous session validation for all VPN-authenticated users. A compromised perimeter device should not grant unrestricted internal access.
7. Monitor for credential exposure on an ongoing basis

   Infostealer-harvested credentials are the recurring fuel for campaigns like FortiBleed. Continuous monitoring for leaked credentials tied to your organisation's domains is the most reliable early warning available.