Cybercriminals gained access to tens of thousands of Fortinet firewalls deployed at major organizations worldwide. The breach relied not on novel code exploits but on credentials harvested from prior incidents and brute-force attempts. Hudson Rock identified more than 73,000 unique Fortinet URLs compromised across 194 countries. SOCRadar placed the figure above 30,000 devices. Both firms published their findings this week.
The campaign, labeled FortiBleed by researchers, began with automated scans searching for exposed Fortinet systems. Attackers then tested lists of previously stolen usernames and passwords. Success granted entry. From there the intruders turned the firewalls into listening posts. They monitored traffic. They collected fresh credentials. Those new passwords fed back into the scanning tools. The system fed itself. SOCRadar described the loop in its analysis.
Once inside, operators could exfiltrate configuration files. They could alter settings. They could establish persistent access for further network infiltration. The data set first surfaced when security researcher Bob Diachenko discovered a server containing valid Fortinet VPN credentials, usernames, email addresses and plaintext passwords. Independent researcher Kevin Beaumont examined the material and confirmed its authenticity in a detailed post.
Victims include household names. Accenture. Comcast. Foxconn. Lenovo. Oracle. Samsung. Siemens. PwC. Government agencies also appear on the list. The heaviest concentration of affected devices sits in India, the United States, Taiwan and Mexico. Industries hit hardest span IT services, construction materials, telecommunications and public sector entities. A NATO defense contractor and Federal Express figured among the exposed organizations according to reports that followed the initial TechCrunch coverage.
Fortinet responded quickly. Spokesperson Tiffany Curci told TechCrunch the company was aware of the reported third-party credential-harvesting campaign. She added that the data appeared to be a resharing of information from previous incidents combined with brute-forcing activity. It was not tied to any recent vulnerability advisory, the company maintained.
Yet the scale still alarms. Over 1.16 billion credential attempts targeted more than 320,000 FortiGate systems. Another 2.1 billion brute-force attempts struck over 160,000 MSSQL servers tied to the same infrastructure. The numbers come from Hudson Rock’s examination of the leaked dataset.
This episode fits a larger pattern. Fortinet products have drawn repeated attention in recent years. Earlier campaigns exploited specific bugs. Some delivered ransomware. Others planted backdoors. This time the entry point proved simpler. Weak or reused administrative passwords left on internet-facing devices. Many organizations had failed to rotate credentials after earlier leaks. Others never enforced strict management policies for edge appliances.
And the consequences stretch further. Compromised firewalls sit at the network perimeter. They control VPN access. They segment zones. Once bypassed, attackers gain high-value vantage points. They can map internal topology. They can steal service account credentials stored in configuration backups. They can pivot toward Active Directory and other core systems.
Recent reporting adds context. In February an AI-assisted Russian-speaking actor breached more than 600 FortiGate devices across 55 countries in five weeks. That campaign, detailed by Amazon’s CISO CJ Moses, showed how even unsophisticated operators can scale attacks with generative tools. Dark Reading covered the operation. It targeted credentials and backups, setting the stage for potential ransomware.
Separate research from SentinelOne traced intrusions in early 2026 that leveraged high-severity Fortinet flaws disclosed between December 2025 and February 2026. Attackers established persistent footholds. They extracted LDAP credentials. They deployed malware. The pattern repeats. Edge devices remain prime targets because defenders often grant them less scrutiny than endpoints or cloud workloads.
Legacy issues compound the risk. Shadowserver warned in recent days that more than 10,000 Fortinet firewalls still run unpatched against a vulnerability first disclosed in 2020. The flaw enables authentication bypass. Ransomware groups such as Play and Hive have used it. Iranian-linked actors have exploited it too. Five years later the exposure lingers. Cybersecurity Dive reported the numbers.
Fortinet itself released its 2026 Global Threat Landscape Report days ago. The document noted a 389 percent rise in identified ransomware victims year over year. Brute-force attempts dropped 22 percent while exploitation attempts climbed 25 percent. Attackers work smarter. They select targets with care. They combine stolen datasets with contextual data from infostealer malware. RedLine, Lumma and Vidar dominated the stealer landscape. The report highlighted how agentic AI accelerates these operations.
Yet the FortiBleed campaign underscores a stubborn truth. Technical sophistication matters less when basic hygiene fails. Organizations that expose management interfaces without strong, unique credentials invite exactly this kind of automated harvesting. The self-reinforcing loop described by SOCRadar turns one compromise into hundreds.
Security teams now face urgent triage. Review all FortiGate administrative accounts. Rotate passwords. Disable unnecessary internet exposure. Enable multifactor authentication where available. Audit configuration backups for embedded credentials. Monitor for anomalous login attempts from unfamiliar geographies. The data is already circulating. Threat actors have had weeks to test and expand their access.
Arctic Wolf observed a related cluster of automated activity in January. Attackers created generic accounts for persistence. They modified firewall policies to grant broad VPN access. They exfiltrated configuration files. The tactics align closely with what Hudson Rock and SOCRadar documented. The campaign continues to evolve.
Analysts warn the stolen material could fuel follow-on attacks. Initial access sold on underground forums. Configurations auctioned to ransomware operators. Intelligence on corporate networks packaged for espionage. The breadth, touching defense contractors, technology giants and government bodies, makes the dataset particularly valuable.
Fortinet has urged customers to follow hardening guidelines. The company continues to investigate. But the burden rests heavily on operators. Firewalls protect the crown jewels only when configured with discipline. In this case many apparently were not.
The discovery arrives at a moment when enterprises already wrestle with expanding attack surfaces. Cloud migration. Remote work. Proliferating VPN gateways. Each adds complexity. Each demands rigorous credential management. FortiBleed shows what happens when that discipline slips.
Researchers expect more leaks to surface. The self-feeding scanner described in the reports keeps running. New credentials emerge daily. The compromised count may still grow. Organizations with Fortinet deployments should assume heightened risk and act accordingly. Change passwords. Today.


WebProNews is an iEntry Publication