An alleged Russian-speaking cybercriminal group has compromised tens of thousands of Fortinet firewalls used by major companies worldwide in a credential-stuffing campaign that security researchers are calling “FortiBleed.”
The operation, first discovered by security researcher Volodymyr “Bob” Diachenko, has affected approximately 74,000 unique Fortinet firewall devices across 194 countries, according to analysis by Hudson Rock and SOCRadar. Over 21,000 unique domains have been impacted. Kevin Beaumont, an independent security researcher, estimates this represents roughly half of all internet-facing FortiGate devices globally.
Named targets confirmed in the leaked dataset include Samsung, Oracle, Foxconn, Siemens, Comcast, Lenovo, PwC, Accenture, Chevron, AT&T, Mercedes-Benz, Toyota, Spotify, and Sony. The most affected industries are IT services, telecommunications (with over 5,600 credential entries), and government agencies (111 domains affected). One Turkish NATO defense contractor had allegedly classified documents stolen.
The campaign is ongoing.
The attack did not exploit any new vulnerability or software flaw. It relied entirely on credential reuse and credential stuffing, a technique as old as the internet itself.
The group compiled passwords from previous Fortinet breach dumps and infostealer malware logs, then tested them at scale against internet-exposed FortiGate devices, primarily targeting SSL VPN interfaces. Inside compromised devices, they intercepted authentication hashes and cracked them offline using a 45-GPU cluster managed via Hashtopolis, a popular password-cracking management tool.
The compromised devices themselves were used as listening posts, monitoring traffic and harvesting additional credentials to feed back into the scanning operation. A self-feeding loop: each new compromise expanded the pool of credentials for the next round of attacks.
Hudson Rock documented 1.16 billion credential attempts against 320,777 FortiGate targets, alongside 2.1 billion brute-force attempts against 163,650 Microsoft SQL Server systems.
What Was Exposed
The accidentally exposed server, discovered by Diachenko via misconfigured directory indexing, contained usernames, email addresses, and plaintext passwords for FortiGate SSL VPN devices. It also included organization metadata (industry, revenue, employee counts) used for targeting, SSL VPN authentication hashes, and bash histories, cron jobs, scripts, and connection strings from the attackers’ own operational backend.
At the deeper end of the compromise, attackers recovered full device configurations, including firewall rules and network maps, and pivoted into internal Active Directory environments.
Fortinet’s Response
Fortinet acknowledged the campaign in a statement from spokesperson Tiffany Curci, describing it as “a reported third-party credential-harvesting campaign targeting Fortinet firewalls and VPN gateways.” The company characterized the data as “a resharing of data from previous incidents, as well as bruteforcing of credentials,” and stated it was “not related to any recent incident or advisory.”
Fortinet did not confirm the scope of the breach or comment on the specific number of compromised devices reported by security researchers.
Context: A Long History of Fortinet Incidents
FortiBleed is not the first large-scale compromise of Fortinet devices, though it is distinct in its mechanism. It is a credential-theft and credential-stuffing campaign, not a vulnerability exploitation campaign.
Previous incidents include the Belsen Group leak in January 2025, in which configuration data from roughly 15,000 FortiGate devices was published online, tied to CVE-2022-40684, an authentication bypass zero-day from October 2022. In January and February 2026, an Amazon-reported campaign saw a Russian-speaking actor use generative AI tools to compromise over 600 FortiGate firewalls across 55 countries, again via weak passwords. Multiple CVEs affecting Fortinet products were disclosed and patched through the first half of 2026.
What makes FortiBleed different is the scale. At roughly 74,000 devices compromised, it is an order of magnitude larger than any previous campaign against the vendor’s infrastructure.
What It Means
FortiBleed is a brute-force attack, not a sophisticated exploit. It succeeded because reused and weak passwords remain the single largest vulnerability in enterprise security. The attackers did not need to discover anything new. They only needed to test what was already known.
Hudson Rock has launched a free domain lookup portal at hudsonrock.com/fortinet for organizations to check whether their credentials were exposed. For the thousands of affected companies, the immediate task is credential rotation and incident response. For the broader industry, the lesson is one the security community has been repeating for decades: no firewall can protect against credentials that were already compromised.
Sources: TechCrunch (June 17, 2026); BleepingComputer (June 17, 2026); Hudson Rock analysis (June 2026); SOCRadar analysis (June 2026); Kevin Beaumont analysis (June 17, 2026)