FortiBleed: Nearly 75,000 Enterprise Firewalls Breached Worldwide — Oracle, Samsung, FedEx and Governments Among Victims

FortiBleed: Nearly 75,000 Enterprise Firewalls Breached Worldwide — Oracle, Samsung, FedEx and Governments Among Victims

A Russian-speaking cybercriminal group has quietly harvested valid login credentials from roughly half of all internet-facing Fortinet devices globally, creating a verified database that lets attackers walk into corporate and government networks at will.

A large-scale credential theft campaign dubbed “FortiBleed” has exposed login credentials for nearly 75,000 Fortinet firewall and VPN gateway devices worldwide, striking organizations across every major industry — from Fortune 500 technology firms and global logistics companies to government agencies and NATO-affiliated defense contractors.

The breach was first brought to public attention on June 17, 2026, when veteran security researcher Volodymyr “Bob” Diachenko of SecurityDiscovery.com discovered a server left exposed by the attackers, containing plaintext usernames and passwords for tens of thousands of FortiGate devices. He described it as a “massive Fortinet/FortiGate bruteforce/active exploitation campaign uncovered in action.”

“The data is legit. It is around 75k devices. Almost all are still online and Fortinet devices. It appears to be recent data.”

— Kevin Beaumont, independent cybersecurity researcher, June 18, 2026

Beaumont, a widely respected British security expert, reviewed the dataset with assistance from threat intelligence firm Hudson Rock and confirmed the credentials were valid and recently harvested. Many organizations had no idea their devices had been compromised.

How the Attack Worked

Investigators describe an industrial-scale, highly automated operation executed by a multi-operator, Russian-speaking cybercriminal group motivated by financial gain. The campaign unfolded in four stages:

1. Mass internet scanning The group deployed a custom scanning program running 25,000 simultaneous threads to sweep the internet for all exposed FortiGate management interfaces and SSL VPN portals, ultimately targeting over 320,000 FortiGate devices and executing approximately 1.16 billion credential attempts — alongside 2.1 billion attempts against over 160,000 Microsoft SQL servers.
2. Credential stuffing Attackers drew on previously leaked Fortinet password libraries, publicly disclosed credential databases, and credentials harvested by information-stealing malware. According to SOCRadar, 35% of cracked credentials belonged to general administrator accounts, and 28.3% were Fortinet built-in system accounts — many of which still used factory-default passwords.
3. Hash cracking at scale After logging into devices, attackers extracted SSL VPN authentication hashes and ran them through a dedicated 45-GPU cracking cluster managed by Hashtopolis. A self-reinforcing, 12-level recursive system fed each newly cracked password back as a seed to generate better candidate passwords — dramatically accelerating the cracking rate over time.
4. Lateral movement into internal networks Authenticated attackers pivoted into corporate internal networks, targeting centralized authentication systems including RADIUS servers and Microsoft Active Directory, assembling a verified database of working credentials for reuse in future intrusions.

A Flaw Hidden Inside a Fix

Security experts point to a critical oversight in Fortinet’s own upgrade process as a key enabler. In early 2025, Fortinet strengthened how it stores administrator credentials on FortiOS — switching from the more vulnerable SHA-256 with salt hashing to the stronger PBKDF2 standard beginning with FortiOS versions 7.2.11, 7.4.8, and 7.6.1.

However, Fortinet warned at the time that existing passwords would remain stored in the old SHA-256 format until each administrator actively logged in again after applying the firmware update. Many organizations patched their devices but never took that additional step, leaving legacy credentials stored in a format far more susceptible to offline brute-force attacks — exactly the weakness the FortiBleed attackers exploited.

“Many compromised devices were ‘patched’ — the fix created a legacy data debt that left credentials vulnerable even on up-to-date firmware.”

— SOCFortress analysis of the FortiBleed campaign

Who Was Affected

Hudson Rock described the operation as having a scope that “touches nearly every sector of the global economy.” Among the organizations identified in the dataset:

The countries with the highest numbers of compromised devices include the United States, India, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates. Diachenko confirmed that attackers gained full network access to organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey. In one of the most alarming disclosures, classified military documents were reportedly exfiltrated from a Turkish NATO defense contractor.

Of government victims in the dataset, SOCRadar stated that India accounts for over 60%, while Ukraine, Poland, and Taiwan, alongside other NATO-adjacent states, are also heavily represented.

Fortinet’s Response

Fortinet confirmed it was aware of the credential theft campaign. In a statement, the company said the malicious activity draws on data from previous incidents combined with brute-force password guessing, and asserted that the campaign is “not related to any recent incident or advisory” and does not involve a new vulnerability in its products.

Security researcher Kevin Beaumont disputed a purely historical explanation, noting that many of the affected devices were running relatively recent FortiOS versions and that the data appeared to originate from device configuration exports — suggesting recent access, not merely reused old data. Fortinet had not provided further clarification at the time of publication.

What Organizations Should Do Now

Security researchers and national cybersecurity agencies — including the UK’s National Cyber Security Centre — issued urgent guidance. Any organization with Fortinet devices should treat this situation as a potential active compromise. Hudson Rock has published a free lookup tool allowing organizations to search their domain and IP addresses against the dataset.

• Immediately remove the FortiOS Management Interface from direct public internet access.
• Rotate all credentials on Fortinet devices, even if the device does not appear in the dataset.
• Ensure administrators log in after any firmware update to force passwords to be re-hashed using the secure PBKDF2 standard.
• Enforce multi-factor authentication (MFA) on all administrator accounts and all external VPN gateways — security experts call this the last reliable line of defense against stolen credentials.
• Audit logs for any unauthorized successful logins, backdoor accounts, or altered security controls. If found, isolate the device from both the internet and the internal network.
• Audit internal networks — particularly Active Directory and RADIUS servers — for signs of lateral movement.
• Do not reuse passwords across platforms; credential reuse is the core mechanism this attack exploited.
• Use the Hudson Rock lookup tool at their website to verify whether your organization’s domains or IPs appear in the leaked dataset.

As Diachenko noted: “Scale itself is complexity. You don’t need a sophisticated attack method; by attacking tens of thousands of devices simultaneously, you can always break through a large number.” The FortiBleed campaign demonstrates that even patched, ostensibly up-to-date infrastructure can harbor critical credential vulnerabilities — and that attackers now possess the automated, GPU-accelerated tools to exploit them at industrial scale.