A Russian-speaking cybercriminal group has harvested valid login credentials from roughly half of all internet-facing Fortinet devices worldwide in a campaign now dubbed "FortiBleed." Security researchers have confirmed that 73,932 unique firewall and VPN gateway URLs across 194 countries were compromised, with verified major victims including Oracle, Samsung, FedEx, and multiple government agencies. The attacker infrastructure remains live, and threat intelligence firm SOCRadar confirms new victims are still being added. This is an active, ongoing campaign.
What Happened
The breach surfaced publicly on June 17, 2026, when veteran security researcher Volodymyr "Bob" Diachenko of SecurityDiscovery.com discovered an attacker-operated server left exposed online. The server held plaintext usernames and passwords for tens of thousands of FortiGate devices. Diachenko characterized it as a "massive Fortinet/FortiGate bruteforce/active exploitation campaign uncovered in action."
Independent British cybersecurity researcher Kevin Beaumont reviewed the dataset with assistance from threat intelligence firm Hudson Rock and confirmed its authenticity. "The data is legit. It is around 75k devices. Almost all are still online and Fortinet devices. It appears to be recent data," Beaumont stated on June 18, 2026. The credentials were verified as valid and recently harvested, and many affected organizations had no idea their perimeter devices had been compromised.
The scale is staggering: 73,932 unique firewall URLs, organizations in 194 countries, and an estimated 50 percent of all internet-facing Fortinet devices globally. Affected entities span every major industry, from Fortune 500 technology firms and global logistics carriers to government agencies and NATO-affiliated defense contractors.
What Was Taken
The exposed attacker database contained valid, plaintext credential pairs (usernames and passwords) for the management and VPN interfaces of nearly 75,000 Fortinet firewall and VPN gateway devices. These are not low-value accounts. Firewall and VPN credentials grant direct access to the network perimeter, the boundary that separates the public internet from internal corporate and government systems.
Because the credentials are valid and current, an attacker holding this database can authenticate to victim devices as a legitimate user, bypassing the need to exploit any vulnerability at login time. The dataset effectively functions as a master key catalog: a pre-verified inventory of which doors open and what keys fit them across 194 countries.
Why It Matters
A perimeter firewall is meant to be the first and strongest line of defense. When valid credentials to that device are in criminal hands, the defensive value of the firewall inverts: it becomes an authenticated entry point rather than a barrier. From there, attackers can pivot into internal networks, deploy ransomware, exfiltrate data, or establish long-term persistence.
The confirmed presence of Oracle, Samsung, FedEx, and government agencies among the victims signals that this is not opportunistic noise. It is a strategically significant exposure affecting critical infrastructure, global supply chains, and national defense suppliers. The financially motivated, multi-operator nature of the group means access is likely to be sold, traded, or weaponized for follow-on extortion. Because the campaign is ongoing and the infrastructure is live, the victim count is a floor, not a ceiling.
The Attack Technique
Investigators describe an industrial-scale, highly automated operation run by a multi-operator, Russian-speaking cybercriminal group motivated by financial gain. The campaign was executed in distinct stages. It began with mass internet scanning, in which the group deployed custom scanning tooling to enumerate internet-facing Fortinet devices at global scale. That reconnaissance fed an automated brute-force and active-exploitation pipeline that tested and validated credentials against the discovered devices, harvesting working username and password pairs into the centralized database that Diachenko ultimately discovered exposed.
The combination of mass scanning, automated credential validation, and a continuously updated victim database points to a mature, assembly-line operation rather than a single targeted intrusion. The fact that researchers found the staging server online indicates the operation was caught mid-stream, while collection was still active.
What Organizations Should Do
- Assume compromise and rotate immediately. Treat all Fortinet firewall and VPN credentials as exposed. Reset every administrative and VPN account password now, and rotate any shared or service accounts tied to these devices.
- Enforce multi-factor authentication on every firewall management and VPN login path, so that stolen passwords alone cannot grant access.
- Restrict management exposure. Remove firewall administrative interfaces from the public internet entirely; limit access to dedicated management networks or VPN-gated jump hosts.
- Hunt for unauthorized access. Review authentication logs for logins from unexpected geographies or at unusual times, and look for new or modified admin accounts, configuration changes, and unfamiliar VPN sessions.
- Patch and update firmware. Ensure all FortiGate and FortiOS devices are running the latest vendor-supported firmware to close known exploitation paths used in the campaign.
- Check your exposure against the dataset. Determine whether your organization's device URLs appear among the compromised entries, and engage your incident response team or a trusted threat intelligence provider if you operate internet-facing Fortinet infrastructure.