FortiBleed: 73,932 Fortinet Firewall Passwords Leaked Across 194 Countries

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
A Russian-speaking threat group exposed verified VPN and administrative credentials for 73,932 Fortinet FortiGate firewalls: approximately half of all internet-facing Fortinet devices worldwide: in the Fortinet VPN credential leak campaign researchers named FortiBleed. The dataset, discovered June 17, 2026 by security researcher Volodymyr "Bob" Diachenko on a misconfigured attacker-controlled server, contains usernames, email addresses, and plaintext passwords linked to 21,632 unique domains across 194 countries, including Chevron, Samsung, AT&T, Comcast, Siemens, and multiple government agencies.
The FortiBleed attackers built their dataset through an industrial-scale operation: they swept 59.3 million internet-facing hosts for exposed FortiGate management interfaces, executed 1.16 billion credential-based login attempts against 320,777 FortiGate targets, and cracked intercepted SSL VPN authentication hashes using a 45-GPU cluster managed through Hashtopolis: a distributed password cracking framework capable of recovering long, complex passwords that resist standard online brute-force. The same group ran 2.1 billion brute-force attempts against over 163,000 Microsoft SQL Server instances simultaneously, confirming a broad credential monetization operation rather than a targeted campaign.
The most significant detail for defenders: the FortiBleed dataset has not yet been offered for sale or shared on criminal forums as of June 18, 2026. SOCRadar's dark web monitoring team is actively tracking distribution channels. The operators organized the dataset by company type, revenue, and employee headcount: the recognized fingerprint of initial access brokers packaging credentials for ransomware affiliate buyers. Any organization with Fortinet firewalls exposed to the internet has a narrow window to rotate credentials and enforce multi-factor authentication before this inventory reaches buyers. Use the free Hudson Rock FortiBleed lookup tool at https://www.hudsonrock.com/fortinet to check your domain exposure today.
How Does the FortiBleed Credential Harvesting Attack Work?
The FortiBleed campaign executed in three mechanically distinct phases that threat intelligence researchers at Hudson Rock and Arctic Wolf reconstructed from the attacker's exposed toolchain.
Phase one: reconnaissance. The group used automated scanners to sweep 59.3 million internet hosts for exposed Fortinet management interfaces, FortiGate SSL VPN login portals, and Microsoft SQL Server instances. They fingerprinted approximately 437,000 FortiGate devices during this phase, cataloging active endpoints and software versions for targeted exploitation.
Phase two: credential stuffing. The attackers tested Fortinet-specific credential pairs from historical infostealer malware dumps against every identified login portal, executing approximately 1.16 billion credential attempts. Diachenko's review of the attacker's exposed directory structure revealed curated Fortinet-specific credential lists: cross-referenced infostealer data specifically tagged to Fortinet devices, not generic password lists. The group targeted passwords that had already worked on Fortinet devices before, extracted from stealer logs sold on criminal markets.
Phase three: offline hash cracking. For SSL VPN sessions where credential stuffing failed, the attackers intercepted SSL VPN authentication handshake hashes and loaded them into a 45-GPU Hashtopolis cluster for offline cracking. Hashtopolis is an open-source distributed hash cracking framework widely used in penetration testing and cybercriminal operations. The GPU cluster recovered "long, complex passwords" that would resist standard online brute-force: a capability associated with well-resourced criminal organizations or state-affiliated actors.
Post-access, the threat group documented lateral movement into internal Active Directory environments from compromised FortiGate endpoints, confirming that FortiBleed represents active intrusions, not just a speculative credential inventory.
Who Is Behind the FortiBleed Campaign?
Attribution remains incomplete, but threat intelligence analysts at SOCRadar, Hudson Rock, and Arctic Wolf have assembled a profile of the FortiBleed operators from the exposed toolchain and dataset organization.
The group is described as a Russian-speaking multi-operator cybercriminal syndicate: multiple individuals or subgroups operating under a shared infrastructure rather than a single actor. The multi-operator model is consistent with initial access broker (IAB) collectives that specialize in large-scale credential harvesting and sell verified access to ransomware affiliates and espionage-motivated actors at prices ranging from a few thousand to tens of thousands of dollars per target depending on the victim's revenue and sector.
The dataset organization is the most telling behavioral indicator. The attackers sorted their 73,932-entry credential inventory by company name, industry sector, annual revenue, and employee headcount. This metadata-enriched sorting is a signature of eCrime operators who package access for buyers filtering targets by deal size. Hudson Rock analysts noted that the FortiBleed database is formatted specifically for buyers who want to filter targets by industry and deal size: consistent with the IAB market model where network access sells per-target.
No ransomware group has publicly claimed credit for the campaign. No ransom demands have been issued to confirmed victims as of June 18, 2026. The absence of immediate extortion, combined with the structured dataset organization and multi-operator profile, points toward a preparation phase: the group is either building an access inventory to sell or preparing to deploy ransomware affiliates across selected high-value targets once the acquisition phase completes.
“I have been able to confirm the authenticity of some of the admin logins and passwords: this looks like a real dump.”
Kevin Beaumont, independent security researcher, BleepingComputer, June 2026
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Which Organizations Are in the FortiBleed Dataset?
The FortiBleed Fortinet VPN credential leak spans 194 countries and 21,632 unique domains, encompassing some of the world's largest enterprises, critical infrastructure operators, and government agencies.
Confirmed entries identified by Hudson Rock and independent researchers include: Chevron (energy), Samsung (electronics), Foxconn (manufacturing), Comcast and AT&T (telecommunications), Mercedes-Benz and Toyota (automotive), Siemens (industrial technology), Lenovo (hardware), PwC and Accenture (professional services), Oracle (enterprise software), and multiple unnamed government agencies and critical infrastructure operators.
Geographic concentration is highest in India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates. The United States representation includes Fortune 500 enterprises, federal contractors, and mid-market organizations across all major sectors.
By industry: telecommunications records the highest volume, followed by IT services, financial services, government and critical infrastructure, healthcare, education, and manufacturing. This distribution reflects FortiGate's dominant market position as an enterprise perimeter firewall: any large organization relying on Fortinet for edge security is a plausible dataset entry.
The 50% internet-facing saturation figure, sourced from Shodan data by Kevin Beaumont, is the operational insight most relevant for defenders. If your organization operates FortiGate firewalls with management interfaces or SSL VPN portals accessible from the internet and has not rotated credentials in the last 90 days, the likelihood of appearing in the FortiBleed dataset is significant. The Fortinet FortiSandbox exploitation campaign documented in the CVE-2026-39813 active exploitation analysis shows that attackers consistently prioritize Fortinet infrastructure as an entry point because controlling the security appliance controls the entire defensive perimeter.
FortiBleed IOCs and Behavioral Detection Indicators
The FortiBleed campaign's IOC profile differs from most credential theft operations. Diachenko discovered the dataset on a misconfigured attacker-controlled server rather than from a dark web forum post, so the exposed infrastructure provides behavioral indicators rather than traditional network IOCs.
No threat actor C2 domains, payload hashes, or specific attacker IP addresses have been publicly attributed to the FortiBleed campaign as of June 18, 2026. SOCRadar's dark web monitoring is actively tracking for distribution of the dataset on criminal forums. Defenders should focus on three categories of behavioral indicators to detect post-exploitation activity.
Credential-stuffing signatures in FortiGate logs: Review VPN authentication logs for login attempts from unexpected source IP ranges, failed authentication spikes against admin or SSL VPN accounts, and successful logins from IP addresses outside your organization's known user locations. The FortiBleed operators used geographically distributed scan infrastructure, making geographic blocking alone insufficient for detection. Arctic Wolf's analysis of the campaign recommends reviewing FortiGate authentication logs from at least January 2026 onward for anomalous patterns (see Arctic Wolf: Active FortiBleed Campaign Impacting Fortinet Devices Across 194 Countries).
Hash interception artifacts: SSL VPN authentication handshake interception produces RADIUS or LDAP log entries consistent with incomplete authentication attempts followed by no further legitimate session activity. FortiGate logs showing authentication challenges that were never completed in the normal session flow may correspond to hash interception events in the FortiBleed timeline.
Active Directory lateral movement from firewall IPs: The operators documented AD access following FortiGate compromise. Check Windows Security Event logs for Kerberos TGT requests originating from FortiGate management IP ranges, unexpected LDAP queries from firewall service accounts, and Group Policy Object modifications in the hours following any identified credential anomaly on FortiGate devices.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
How to Verify Your Fortinet VPN Credential Exposure Right Now
The fastest verification step for any organization operating Fortinet equipment is the Hudson Rock FortiBleed exposure checker at https://www.hudsonrock.com/fortinet. Enter your organization's domain; the tool queries the FortiBleed dataset and returns whether matching credentials appear. This check is free, requires no account creation, and returns results immediately.
Beyond the lookup tool, the credential exposure scope extends to subsidiary and acquired company domains. Organizations with recent M&A activity should check every domain in their portfolio: attackers who inventory by revenue specifically target subsidiary networks that may operate inherited Fortinet deployments without the same credential hygiene controls as the parent organization.
Fortinet has not released a dedicated advisory for FortiBleed because the dataset derives from prior incidents and brute-force attacks rather than a new product vulnerability. The absence of a CVE does not reduce the urgency: credentials valid at the time of the FortiBleed scan remain valid today for any account that has not been rotated. This is precisely the credential exposure dynamic documented in the 16 billion credential dark web leak analysis: infostealer-sourced passwords persist as active risks indefinitely until organizations actively rotate them.
Security teams that confirm their domain appears in the FortiBleed dataset should escalate to a formal incident response engagement rather than treating this as routine credential rotation. Post-compromise Active Directory access documented in FortiBleed analysis means affected organizations may already have unauthorized persistence established in their environments that survives a password rotation alone.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why Fortinet VPN Credential Exposure Matters for Your Organization
The FortiBleed dataset creates a structural threat that extends beyond the specific organizations named in the exposed records. Fortinet's market position as the most widely deployed enterprise firewall platform makes any mass credential exposure disproportionately dangerous: a single credential from this dataset used successfully gives an attacker administrative control over the network perimeter itself.
Network perimeter control enables everything downstream: disabling security controls, intercepting traffic, establishing persistence across internal systems, and staging ransomware deployments without triggering endpoint detection tools that cannot inspect traffic before it crosses the firewall. Ransomware groups consistently rank initial access through VPN credentials as one of their most frequently exploited entry vectors. A FortiGate admin credential is worth more to an attacker than a compromised workstation because it controls the boundary that all other defenses depend on.
The dataset organization by revenue and sector creates a prioritized targeting list for ransomware affiliates who purchase initial access from IABs. High-revenue organizations in financial services, telecommunications, and critical infrastructure: sectors prominently represented in the FortiBleed data: face elevated probability of ransomware targeting within weeks of any successful IAB transaction using this dataset.
Organizations that cannot execute full credential rotation today due to operational constraints should at minimum enforce MFA on all Fortinet interfaces within 24 hours. MFA blocks credential-stuffing exploitation even when an account password appears in the FortiBleed dataset, interrupting the attacker's chain at the authentication step before any post-access lateral movement becomes possible.
The bottom line
The Fortinet VPN credential leak exposed 73,932 firewall admin and SSL VPN passwords, handed a Russian-speaking IAB syndicate a revenue-sorted targeting list for ransomware affiliates, and affected roughly half of all internet-facing Fortinet devices worldwide. Three actions make the difference: run the Hudson Rock lookup at hudsonrock.com/fortinet for every domain you operate, rotate every FortiGate credential today, and enforce MFA on every Fortinet interface before the weekend. The FortiBleed dataset is not yet for sale on criminal forums: act before it is. For a full IOC list, Suricata detection rules, and SIEM queries to identify FortiBleed exploitation in your environment, see the FortiBleed IOC dataset and detection guide.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is FortiBleed?
FortiBleed is a mass credential harvesting campaign in which a Russian-speaking multi-operator cybercriminal group collected VPN and administrative passwords for 73,932 Fortinet FortiGate firewalls across 194 countries. The dataset was discovered June 17, 2026 by security researcher Volodymyr "Bob" Diachenko on a misconfigured attacker-controlled server and independently verified by Hudson Rock and Kevin Beaumont. The name evokes Heartbleed but refers to credential theft, not a software vulnerability in Fortinet products.
How many Fortinet firewalls were affected by FortiBleed?
73,932 unique firewall URLs appear in the FortiBleed dataset, corresponding to approximately 75,000 devices. Kevin Beaumont's analysis using Shodan data estimates this represents roughly 50% of all internet-accessible Fortinet firewalls worldwide. The dataset impacts 21,632 unique organizational domains across 194 countries, affecting enterprises from Fortune 500 companies to government agencies and critical infrastructure operators.
Is FortiBleed a CVE or software vulnerability?
No. FortiBleed is not a vulnerability in Fortinet software and carries no CVE identifier. The name deliberately evokes Heartbleed but the root cause is credential theft through prior infostealer campaigns, brute-force attacks, and offline GPU-based hash cracking: not a flaw in FortiOS code. Fortinet confirmed that the credentials originated from previous incidents and brute-force attacks and are not related to any recent incident or advisory.
How did attackers harvest the Fortinet VPN credentials?
The operators swept 59.3 million internet hosts to identify exposed FortiGate management interfaces, then executed 1.16 billion credential attempts using Fortinet-specific lists compiled from historical infostealer dumps. For SSL VPN sessions where credential stuffing failed, they intercepted authentication hashes and cracked them offline using a 45-GPU Hashtopolis distributed cracking cluster, recovering complex passwords that resist standard online brute-force.
Which organizations appear in the FortiBleed dataset?
Hudson Rock confirmed entries for Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Siemens, Lenovo, PwC, Accenture, Oracle, and multiple government agencies. The full dataset spans 21,632 unique domains across 194 countries. Telecommunications, IT services, financial services, government, healthcare, and manufacturing are the most heavily represented sectors.
How do I check if my Fortinet firewall is in the FortiBleed database?
Visit the free Hudson Rock FortiBleed lookup tool at https://www.hudsonrock.com/fortinet and enter your organization's domain. The tool queries the FortiBleed dataset and returns whether credentials matching your domain appear. Check every domain your organization operates, including subsidiaries and recently acquired company domains, as attackers specifically target organizations with diverse domain portfolios.
What should I do immediately if my organization appears in FortiBleed?
Rotate all FortiGate administrative account passwords and API keys immediately. Rotate all SSL VPN user credentials. Enforce MFA on all management interfaces and VPN portals using RADIUS, LDAP with MFA enforcement, or FortiToken. Review FortiGate authentication logs from January 2026 onward for suspicious activity. If Active Directory anomalies are found, escalate to a formal incident response engagement: post-compromise AD access may indicate persistent unauthorized access that survives a password rotation alone.
What is the risk if organizations do not act on the FortiBleed data?
Ransomware affiliates routinely purchase initial access from IAB syndicates holding inventories like FortiBleed. The dataset is organized by industry, revenue, and headcount: a format designed for buyers filtering by deal size. Organizations that do not rotate credentials and enforce MFA before the dataset reaches criminal markets face elevated ransomware targeting. FortiGate admin access enables attackers to disable security controls, stage ransomware deployments, and execute attacks without triggering endpoint detection tools that cannot inspect traffic before it crosses the perimeter firewall.
Where can I download the FortiBleed IOC list or credential database?
The FortiBleed credential database is not available as a public download. The dataset is accessible through two verified tools: Hudson Rock's free domain lookup at hudsonrock.com/fortinet, which queries the database and returns whether credentials for your domain appear; and Kevin Beaumont's Shodan-cross-referenced analysis, which produced firewall counts by country. No third-party download of the full FortiBleed list has been verified as authentic: any claimed CSV or file export of the complete FortiBleed database should be treated as a potential phishing lure.
Are there FortiBleed IOCs for SIEM detection rules?
FortiBleed does not have traditional network IOCs such as C2 IPs, malicious domains, or payload hashes, because the credential theft used brute-force and offline hash cracking rather than malware implants. Behavioral indicators for SIEM detection include: spikes in failed FortiGate VPN authentication attempts from geographically unexpected IP ranges, RADIUS or LDAP authentication challenges with no subsequent completed session, and SSL VPN login attempts from ASNs not associated with your organization. Arctic Wolf recommends reviewing FortiGate authentication logs from January 2026 onward for these patterns as a post-incident verification step.
Sources & references
- BleepingComputer: FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices
- Hudson Rock: FortiBleed Exposure Checker
- SOCRadar: FortiBleed: The Compromise of 80,000+ Fortinet Firewalls
- Arctic Wolf: Active FortiBleed Campaign Impacting Fortinet Devices Across 194 Countries
- Security Affairs: FortiBleed Exposes Admin Passwords for 75,000 Fortinet Firewalls
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
