A leaked dataset circulating since this week and dubbed FortiBleed exposes credentials and configuration data for 73,932 unique Fortinet firewalls across 194 countries — roughly half of every internet-accessible FortiGate device on the planet. Security researcher Volodymyr “Bob” Diachenko uncovered the collection, and infostealer-intelligence firm Hudson Rock has since analyzed it. Independent researcher Kevin Beaumont has confirmed that some of the exposed admin logins and passwords are real and still valid.

The list of affected organizations reads like an index of the Fortune Global 500. Hudson Rock and reporting from BleepingComputer name Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Siemens, Lenovo, PwC, Accenture, and Oracle, alongside numerous government agencies. The dataset touches 21,632 unique domains.

What FortiBleed actually is

Despite the name’s echo of Heartbleed, FortiBleed is not a single CVE. It is the byproduct of an industrial-scale credential operation. According to Diachenko’s analysis, a multi-operator, Russian-speaking cybercriminal group systematically scanned the internet for exposed Fortinet instances, then tested them against historical credential databases harvested by infostealer malware. Where credentials matched, the operators captured SSL VPN authentication hashes and cracked them offline using a 45-GPU cluster orchestrated through Hashtopolis.

The numbers behind the campaign are staggering. The group executed an estimated 1.16 billion credential-based attempts against more than 320,000 FortiGate targets, while running a parallel 2.1 billion brute-force attempts against over 160,000 MSSQL servers. FortiBleed is the cleaned, verified output of that grind: a curated list of devices the attackers could actually get into.

The exact extraction method for the configuration data remains unclear. Kevin Beaumont noted that the dataset contains information “typically only accessible through configs” — meaning it was likely pulled from Fortinet configuration files obtained through a previously disclosed vulnerability, a newly discovered flaw, or some other compromise path. That ambiguity matters: it means defenders cannot simply point to one patch and declare themselves safe.

Why “complex passwords” didn’t help

The most uncomfortable lesson in FortiBleed is that password strength was irrelevant for many victims. When a credential has already been stolen by an infostealer on an employee’s machine, its entropy no longer protects anything — the attacker is not guessing, they are replaying a known-good secret. Highly complex passwords offered no defense to organizations whose credentials had leaked in prior infostealer infections.

This is the throughline connecting FortiBleed to the broader infostealer economy. Edge devices like SSL VPN gateways are the perfect target: internet-facing by design, often under-monitored, and frequently sharing credentials with the Active Directory environments behind them. Diachenko confirmed full network compromises at multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey — including a Turkish NATO defense contractor from which classified defense documents were exfiltrated.

Don’t confuse it with “FortiLeak”

FortiBleed is being conflated online with an older incident sometimes called FortiLeak — the 2024 episode in which a hacker using the alias “Fortibitch” leaked roughly 440 GB of data allegedly pulled from Fortinet’s own Azure SharePoint instance. Fortinet acknowledged that incident, characterizing it as affecting less than 0.3% of its customer base. The two are distinct: FortiLeak was a breach of Fortinet corporate data; FortiBleed is a mass compromise of Fortinet customers’ edge devices. If you are triaging this week’s news, FortiBleed is the one that puts your own firewall on a list.

Fortinet’s brutal eighteen months: a timeline

FortiBleed does not land in a vacuum. It is the latest entry in a punishing run of Fortinet incidents we have tracked across breached.company — a pattern of edge-device exposure, authentication failures, and credential abuse that has compounded month over month.

  • November 17, 2025Cybercriminals actively exploit vulnerabilities in Fortinet, Cisco, VMware, and WatchGuard, with FortiWeb’s CVE-2025-64446 path-traversal flaw quietly patched weeks before public disclosure.
  • December 11, 2025Fortinet Under Fire: compromised FortiGate devices emerge as a recurring entry point in attacks on healthcare and critical infrastructure.
  • February 5, 2026Fortinet Under Siege: CVE-2026-24858, a CVSS 9.4 FortiCloud SSO bypass, becomes the fourth authentication-bypass flaw in eight weeks — exposing systemic weakness in Fortinet’s auth architecture.
  • February 22, 2026AI as a Weapon: a single actor uses off-the-shelf AI tooling to breach 600+ FortiGate firewalls across 55 countries in five weeks.
  • May 27, 2026FortiClient EMS CVE-2026-35616: attackers weaponize the patch cycle itself, delivering the EKZ infostealer disguised as a Fortinet update.
  • June 17, 2026FortiBleed: 73,932 firewalls’ credentials surface in a single dataset — the cumulative payoff of every leaked credential the prior incidents helped harvest.

Read end to end, the through-line is unmistakable: the attacks have shifted from exploiting individual CVEs to industrializing the credentials those exposures produced. FortiBleed is what that pipeline looks like at scale.

Fortinet’s response

As of publication, Fortinet had not issued a detailed public statement on the FortiBleed dataset. BleepingComputer reported it had contacted the company and would update its reporting on receipt of a response. The absence of an official line does not buy defenders time — Beaumont’s verification that live admin credentials are present in the dump means the window for exploitation is open now, not pending confirmation.

What to do if you run FortiGate

Every organization with internet-facing Fortinet devices should treat itself as potentially in the dataset until proven otherwise. Priorities:

  • Rotate all VPN and administrative credentials immediately — assume current passwords are burned, regardless of complexity.
  • Enforce multi-factor authentication on SSL VPN and admin interfaces. MFA is the single control that breaks credential replay.
  • Pull and review gateway logs for anomalous authentication, especially successful logins from unfamiliar geographies or impossible-travel patterns.
  • Hunt for lateral movement. Because attackers pivoted from VPN into Active Directory, a clean firewall log is not a clean bill of health — check domain controllers and privileged accounts.
  • Check for exposed employee credentials in infostealer datasets, since that is the supply chain that fed FortiBleed in the first place.
  • Reduce attack surface. Where SSL VPN does not need to be exposed to the entire internet, restrict it by geography or source allowlists.

FortiBleed is less a new vulnerability than a reckoning for an old one — the slow accumulation of stolen credentials that organizations never rotated. The firewalls did their job. The credentials in front of them did not.

Sources