Security researchers have uncovered a sprawling cache of stolen credentials for Fortinet firewalls, exposing login details for tens of thousands of organisations around the world.
The dataset, dubbed “FortiBleed,” contains plaintext usernames, emails and passwords for 73,932 unique Fortinet FortiGate firewall and VPN devices across 194 countries, touching more than 21,000 domains. Researchers estimate that is roughly half of all Fortinet firewalls currently exposed to the internet.
The names appearing in the data read like a roll call of global industry: Oracle, Chevron, Lenovo, FedEx, Foxconn, Samsung, Comcast, Siemens, PwC and Accenture among them, alongside a NATO defence contractor. According to Ars Technica, Fortinet itself appears in the list.
No flashy zero-day, just industrial password-cracking
One instructive part of FortiBleed is what it did not involve: there is no sign of a dazzling new flaw in Fortinet’s software.
Instead, researchers say the attackers scanned the internet for Fortinet devices, tried a curated list of already-known and previously leaked passwords against each one, and recorded every login that worked.
What they lacked in novelty they made up for in scale. The group sprayed hundreds of thousands of login endpoints, intercepted VPN authentication hashes and cracked them on a dedicated 45-GPU cluster, running more than a billion credential attempts. “The scale is the sophistication,” researcher Bob Diachenko told Ars Technica.
Once inside a device, they used it as a listening post, watching the traffic passing through and scooping up any fresh credentials that flowed by. A firewall, the thing meant to keep intruders out, became the perch they watched from.
Diachenko, who found the data on the attackers’ own server, attributes the campaign to a Russian-speaking group. Security firms SOCRadar and Hudson Rock analysed the haul, and researcher Kevin Beaumont independently confirmed the logins are real and current. How the credentials were first obtained, likely from exported FortiGate configuration files, is still unclear.
What it does and doesn’t mean
An important caveat: exposed credentials are not the same as a fully breached network. The leak shows which doors could be opened, not that every organisation behind them was compromised.
The damage is not only theoretical, though. Diachenko says at least four organisations were fully compromised, including a Turkish NATO defence contractor from which classified documents were stolen.
Fortinet disputes the framing. It told reporters the data is “a resharing of data from previous incidents, as well as bruteforcing of credentials”, and is “not related to any recent incident or advisory”. Researchers counter that the affected devices differ from those in a known 2025 Fortinet leak, and that many run recent software, which points to a current haul.
It also sits alongside a wider pattern. VPN and firewall appliances have become a favourite target, with groups like Qilin repeatedly abusing corporate VPN gear for initial access.
The fix is unglamorous too. Researchers urge Fortinet users to rotate FortiGate admin and VPN passwords, enforce multi-factor authentication on all external access, lock management interfaces to trusted IP ranges, review logs for suspicious logins, and remove dormant accounts.
If a single reused password can open the front door, no firewall is going to save you.
Get the TNW newsletter
Get the most important tech news in your inbox each week.