FortiBleed: leaked dataset exposes VPN credentials for ~74,000 Fortinet firewalls

A dataset dubbed FortiBleed exposed valid Fortinet FortiGate VPN credentials — including plaintext passwords — for 73,932 firewall URLs across 194 countries, the product of a Russian-speaking crew that reused passwords from earlier breaches and infostealer logs rather than any new Fortinet vulnerability.

On 17 June 2026, security researcher Bob Diachenko disclosed a leaked dataset — dubbed FortiBleed — exposing what appear to be valid Fortinet FortiGate VPN credentials, including usernames, email addresses, and plaintext passwords, for 73,932 firewall URLs spread across 194 countries and 21,632 unique domains. The exposed organisations reportedly include major global enterprises such as Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, and State Grid.

Not a new vulnerability

Crucially, FortiBleed is not the exploitation of an unknown Fortinet flaw. Fortinet said its investigation indicates the credentials were obtained through previous incidents and brute-force attacks and are not linked to any newly disclosed vulnerability, breach, or security advisory. The campaign instead leans on a far more basic failure: organisations that never rotated credentials after earlier compromises, leaving passwords that have since circulated in infostealer logs and breach databases still valid on internet-exposed firewalls.

A multi-operator, internet-scale campaign

The leak is the visible output of a broader operation attributed to a multi-operator, Russian-speaking cybercriminal group. Rather than simple credential stuffing, the operators systematically scanned the internet for exposed Fortinet instances and tested them against historical credential databases. Telemetry tied to the campaign points to an estimated 1.16 billion credential-based attempts against more than 320,000 FortiGate targets, alongside a parallel 2.1 billion brute-force attempts against more than 160,000 MSSQL servers — collectively yielding the 21,632 compromised domains.

Why it matters

FortiBleed is a stark illustration that credential hygiene, not just patching, is load-bearing for perimeter security. Valid VPN logins on a firewall hand attackers a clean, authenticated foothold inside an enterprise — no exploit required — and the dataset's reach across nearly 200 countries and tens of thousands of organisations makes it a ready-made target list. Defenders running FortiGate appliances were urged to rotate all VPN and administrative credentials, enforce multi-factor authentication, and assume that any password reused from a prior breach or harvested by infostealer malware is already in attacker hands.

Timeline

June 17, 2026

Researcher Bob Diachenko reports finding an exposed server holding what appear to be valid Fortinet VPN credentials — usernames, email addresses, and plaintext passwords — for 73,932 firewall URLs across 194 countries and 21,632 unique domains.

June 17, 2026

Fortinet tells reporters the credentials stem from previous incidents and brute-force attacks and are not linked to any newly disclosed vulnerability, breach, or security advisory.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/

techcrunch.comhttps://techcrunch.com/2026/06/17/cybercriminals-allegedly-hacked-tens-of-thousands-of-fortinet-firewalls-used-by-major-companies-all-over-the-world/

arcticwolf.comhttps://arcticwolf.com/resources/blog/active-fortibleed-campaign-impacting-fortinet-devices-across-194-countries/

hackread.comhttps://hackread.com/fortibleed-attack-fortinet-firewalls-credentials/

cybersecuritynews.comhttps://cybersecuritynews.com/fortibleed-fortinet-firewalls-compromised/

Related incidents

RansomwareContainedMay 12, 2017

WannaCry ransomware worm

A North Korean ransomware worm that exploited the EternalBlue SMB vulnerability to spread to ~200,000 systems across 150 countries in 24 hours. Paralysed the U.K.'s NHS and crippled manufacturing globally.

Victim: ~200,000 organizations worldwide (UK NHS, Telefónica, Renault, Deutsche Bahn, Honda et al.)
Loss: $6.00B

RansomwareContainedMay 13, 2026

Foxconn Nitrogen ransomware breach (2026)

The Nitrogen ransomware group claimed on its dark-web leak site that it had stolen over 11 million files from Foxconn's North American facilities, including confidential information belonging to customers Apple, Dell, Google, Intel, Nvidia, and Sony. Foxconn said affected factories were resuming normal production.

Victim: Foxconn (Hon Hai Precision Industry)

Supply chainContainedJuly 2, 2021

Kaseya VSA supply-chain ransomware (REvil)

REvil affiliates exploited a SQL injection zero-day in Kaseya's VSA remote-management platform to push ransomware to ~60 MSPs and through them to ~1,500 downstream organisations. The largest supply-chain ransomware attack on record.

Victim: Kaseya VSA customers (~60 MSPs, ~1,500 downstream organisations)
Loss: $200.0M

WiperResolvedJune 27, 2017

NotPetya destructive wiper

A destructive wiper disguised as ransomware, propagated via a compromised Ukrainian accounting software update. Estimated $10 billion in global damage — the most economically destructive cyberattack in history.

Victim: M.E.Doc users (Maersk, Merck, FedEx-TNT, Mondelez, Saint-Gobain et al.)
Loss: $10.00B