FortiBleed exposes Fortinet credentials at global scale

Threat summary

Between June 13-17, 2026, multiple researchers validated the discovery of threat actor infrastructure hosting a large dataset of potentially valid credentials for Fortinet firewalls and VPN gateways.

Referred to as FortiBleed, the dataset exposed credentials for estimated 75,000 Fortinet FortiGate firewalls and Secure Sockets Layer Virtual Private Network (SSL VPN) gateways. Researchers provided a lookup capability to check whether domains, email addresses, or usernames appear in the dataset.

The credential harvesting activity, associated with Russian-speaking threat actors, relied on automated processes to collect and use credentials across a large number of Fortinet devices worldwide. Credentials were collected, processed, and cracked across tens of thousands of internet-facing systems.

The dataset spans more than 21,000 domains across 194 countries, with the highest concentration of affected credentials in India, the United States, and Mexico, and enterprise accounts most frequently targeted.

Scanning activity focused on common Fortinet access points, including the default HTTPS port 443 used by SSL VPN interfaces, as well as non-standard ports such as 4443, 8443, and 10443, indicating coverage of both default and custom deployment configurations.

Researchers report that Fortinet configuration files were collected from internet-exposed devices and later found stored on a threat actor’s operational server, along with automation tools, supporting infrastructure, and a list of affected systems. These configuration files were used to extract administrator credentials.

The data shows that credentials were gathered over time through a combination of earlier vulnerabilities, credential harvesting, and reuse, reflecting a pattern where authentication data continues to provide access long after the initial exposure.

Many affected systems reportedly stored credentials using older SHA-256-based hashing, which is more susceptible to offline cracking. Fortinet introduced PBKDF2-based hashing in FortiOS versions 7.2.11, 7.4.8, and 7.6.1, but existing credentials remain stored in the older format until administrators authenticate after an upgrade, extending exposure.

Field Effect MDR clients would have received an ARO if related exposure or activity was identified.

Analysis

Field Effect’s 2026 Threat Outlook Report highlights that most incidents now involve identity abuse, including stolen credentials, tokens, single sign-on sessions, MFA fatigue, or session hijacking. These methods provide direct, legitimate-looking access.

Once inside, threat actors operate within normal workflows, blend into expected activity, and move without triggering controls designed to detect malware or exploitation.

Large credential datasets like FortiBleed are not built in a single event. Threat actors collect data from multiple sources, including configuration file leaks, phishing campaigns, credential stuffing, malware logs, and exposed systems. Each source adds usernames, passwords, tokens, and session data to a growing collection.

Over time, these collections become “dumps," bulk datasets of credentials and authentication data taken from compromised systems. 

These bulk datasets are structured and easy to reuse. Threat actors work from known data instead of guessing passwords, testing credentials across systems and using them wherever they remain valid. This allows access to persist even after vulnerabilities are patched, as credentials often remain unchanged. 

Threat actors compare credentials across multiple datasets to identify reused passwords, valid accounts, and higher-value targets. Older data remains useful because credentials are often reused or not rotated quickly, which is why incidents linked to past exposures continue to surface over time. 

These datasets are packaged and traded in underground markets. Initial access brokers (IABs) use them to identify working credentials and sell confirmed access to other threat actors, who then use that access for follow-on activity such as data theft or ransomware. This creates a supply chain where data collection, access validation, and exploitation are handled by different groups. 

The FortiBleed dataset is just one collection of credentials and does not represent all compromised systems or all data circulating in cybercriminal marketplaces. But it does highlight broader gaps in credential management and Fortinet device management practices.

Organizations benefit from treating the FortiBleed dataset as partial visibility into exposure and validating risk in environments where Fortinet management interfaces are reachable from the internet or where older credential storage methods remain in use.

These conditions increase exposure risk and make credential lifecycle control and access validation relevant across all systems, not only those identified in the dataset.

• Review whether Fortinet management interfaces are reachable from the internet and restrict access to trusted networks
• Identify where older credential storage methods are in use and upgrade systems to support stronger hashing
• Rotate all administrative and VPN credentials across environments to invalidate collected passwords
• Validate account activity and access logs for signs of unauthorized use tied to exposed credentials
• Apply MFA across all remote and privileged access paths
• Conduct a full review of firewall configurations for unauthorized accounts, changes to access controls, and persistence mechanisms

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up