Fortinet Leak Exposes 75,000 Firewall Passwords Across 194 Countries
Updated
Updated · escudodigital.com · Jun 22
Fortinet Leak Exposes 75,000 Firewall Passwords Across 194 Countries
3 articles · Updated · escudodigital.com · Jun 22
Summary
About 75,000 FortiGate administrative passwords were exposed in an internet-accessible database, with researchers saying many credentials were still valid and the leak spans 73,932 unique firewall URLs.
Bob Diachenko found the server, and Kevin Beaumont with Hudson Rock verified the data, linking it to a brute-force and active exploitation campaign that may affect nearly 50% of Fortinet firewalls online.
The dataset includes plaintext passwords, usernames, emails and company profiles, giving attackers potential control of internal networks by changing security rules, creating hidden admin accounts and monitoring traffic.
Attackers also exposed their own tools and logs, which suggest a Russia-linked group made 1.16 billion FortiGate access attempts and 2.1 billion against Microsoft SQL Server using 45 GPUs to crack passwords.
Hudson Rock said the records cover 21,632 domains in 194 countries, including major companies and government agencies, and appear formatted for underground resale to ransomware, espionage and data-theft groups.
With half its firewalls breached, who is to blame: the vendor's old tech or users' poor habits?
How did a sophisticated hacking group get exposed by their own accidental operational leak?
As hackers use AI to craft attacks, are traditional security measures now becoming obsolete?
Inside the FortiBleed Campaign: 1.16 Billion Credential Attacks and the Global Fallout for Fortinet Security
Overview
The FortiBleed campaign, active as of June 2026, poses a critical cybersecurity threat by targeting Fortinet devices that still use outdated SHA-256 with salt password storage. Although Fortinet improved security in early 2025 with a stronger PBKDF2 method, many devices remain vulnerable to brute-force attacks, making stored credentials easy to compromise. This ongoing risk requires urgent action from organizations to identify affected systems, update firmware, and reset passwords. The campaign’s success highlights the dangers of legacy security practices and the need for immediate, coordinated defense to protect sensitive assets from compromise.