FortiBleed Exposes 73,932 FortiGate Credentials Across 194 Countries, Leaving Many Networks Already Breached
Updated
Updated · Tech Times · Jun 18
FortiBleed Exposes 73,932 FortiGate Credentials Across 194 Countries, Leaving Many Networks Already Breached
3 articles · Updated · Tech Times · Jun 18
Summary
73,932 verified FortiGate usernames and passwords tied to 21,632 domains were found on an exposed attacker server, and researchers said many credentials still work on roughly half of internet-facing Fortinet devices.
1.16 billion credential attempts against 320,777 FortiGate targets built the dataset by combining older Fortinet leaks, infostealer passwords and cracked SSL VPN hashes, with more than 30,791 entries confirmed as working.
FortiOS upgrades did not fully protect some admins because legacy SHA-256 password hashes remained until each administrator logged in again; researchers said a 45-GPU cluster could crack those hashes at scale.
Compromised firewalls were then used as network sniffers to harvest more credentials and enable lateral movement, with researchers citing full breaches in Japan, Taiwan, Vietnam, Iraq and Turkey, including a Turkish NATO defense contractor.
Fortinet said the data reflects reshared old incidents and brute-forced credentials rather than a new breach, but researchers urged immediate password rotation, PBKDF2-capable upgrades, forced admin re-logins and Active Directory audits.
Half of all Fortinet devices are at risk. Are your network's master keys now in hackers' hands?
A patch wasn't enough. How did a login flaw expose thousands of 'secure' Fortinet firewalls?
With a NATO contractor breached, is the massive FortiBleed leak a criminal plot or state-sponsored espionage?
FortiBleed Campaign Exposes 73,932 Fortinet VPN Credentials Across 194 Countries: Scope, Impact, and Urgent Response
Overview
Discovered in June 2026, the FortiBleed campaign is a major cybersecurity threat targeting Fortinet and FortiGate systems worldwide. This sophisticated attack led to the compromise of critical network infrastructure, exposing sensitive organizational data such as VPN credentials and firewall configurations. As a result, attackers can bypass security measures, creating a persistent risk of further exploitation. The campaign’s global reach and potential for severe consequences have prompted urgent warnings across the cybersecurity community, highlighting the need for immediate action to prevent widespread damage and ongoing threats to organizations.