Blab Tech
FortiBleed: 73,932 Fortinet Firewalls Exposed in Large-Scale Credential Leak
Mid‑June 2026, security researchers revealed a credential‑exposure campaign that has compromised the administrative passwords of 73,932 Fortinet FortiGate firewalls and VPN gateways around the globe. Dubbed FortiBleed, the leak spans 194 countries and contains verified login credentials that, researchers say, are still active on many targets.
A group behind the breach deployed a 45‑GPU cluster, orchestrated via the Hashtopolis framework, to launch over 1.16 billion credential attempts against 320,777 FortiGate devices. The same rig also generated 2.1 billion attempts against 163,650 Microsoft SQL Server systems. The sheer volume highlights how unguarded, high‑performance compute can be weaponized for credential stuffing.
FortiBleed does not stem from a software flaw in Fortinet’s products; instead, it capitalizes on reused or weak passwords. The dataset includes configuration files with usernames and passwords stored in plain text, and many of these credentials remain valid, enabling attackers to access the compromised firewalls and potentially move laterally into the networks they guard.
The data set was sourced from an individual named Diachenko and later analyzed by threat‑intelligence firm Hudson Rock. Hudson Rock released a public tool that allows organizations to verify whether their firewall URLs appear in the dataset, describing the collection as “one of the largest known troves of compromised Fortinet‑related credentials.”
Fortinet, founded in 2000 by brothers Ken and Michael Xie and headquartered in Sunnyvale, California, markets a portfolio of security solutions, including the FortiGate next‑generation firewall. The company has traded on Nasdaq since 2009 and serves enterprises, service providers, and government agencies.
Because the breach spans 194 countries, numerous well‑known corporations may be impacted. Firms that depend on FortiGate devices for remote access—such as Chevron, Comcast, and Samsung—could find their perimeter defenses compromised. While the attack does not target home users directly, the breached firewalls can become footholds for attackers seeking internal resources.
Fortinet has yet to release a public statement. Industry observers emphasize that the breach underlines the necessity of strong, unique passwords and multi‑factor authentication on network perimeter devices. It also demonstrates how attackers can harness high‑performance computing clusters to conduct credential stuffing at scales previously impractical.
FortiBleed represents the most extensive credential‑exposure campaign targeting Fortinet products to date. Earlier incidents—like the 2022 Belsen Group leak that exposed 15,000 devices—were smaller in scope. This breach signals a shift toward large‑scale, automated attacks that depend on credential reuse instead of software exploits.
Security researchers point out that the attack’s success hinged on the attackers’ capacity to iterate through billions of password combinations rapidly. By deploying GPU clusters without guardrails, they could test credentials against millions of devices in a short span, raising concerns about the security of cloud‑based compute resources that can be rented or accessed by malicious actors.
In reaction to the leak, several organizations have started auditing their FortiGate configurations. The Fortinet community has issued guidance on hardening firewall passwords and enabling two‑factor authentication. The long‑term impact will hinge on how swiftly affected companies replace compromised credentials and uncover any additional vulnerabilities in their network perimeter.
FortiBleed remains an active threat. Attackers continue probing devices omitted from the initial dataset, and the leaked credentials could be leveraged in future attacks. The incident underscores that credential security remains a critical component of network defense, particularly for edge devices.
As the situation unfolds, security teams are urged to use the Hudson Rock lookup tool to verify whether their FortiGate URLs appear in the leaked dataset. Fortinet’s response, along with any patch or mitigation guidance, is expected to follow as the company investigates the breach.
In summary, the FortiBleed incident reveals a massive credential‑exposure campaign that has compromised almost 74,000 Fortinet firewalls worldwide. By leveraging a large GPU cluster to execute billions of credential attempts, the attackers exposed the widespread use of weak or reused passwords. The breach highlights the necessity of stronger authentication practices on network perimeter devices and the potential misuse of high‑performance computing resources in cybercrime.
A group behind the breach deployed a 45‑GPU cluster, orchestrated via the Hashtopolis framework, to launch over 1.16 billion credential attempts against 320,777 FortiGate devices. The same rig also generated 2.1 billion attempts against 163,650 Microsoft SQL Server systems. The sheer volume highlights how unguarded, high‑performance compute can be weaponized for credential stuffing.
FortiBleed does not stem from a software flaw in Fortinet’s products; instead, it capitalizes on reused or weak passwords. The dataset includes configuration files with usernames and passwords stored in plain text, and many of these credentials remain valid, enabling attackers to access the compromised firewalls and potentially move laterally into the networks they guard.
The data set was sourced from an individual named Diachenko and later analyzed by threat‑intelligence firm Hudson Rock. Hudson Rock released a public tool that allows organizations to verify whether their firewall URLs appear in the dataset, describing the collection as “one of the largest known troves of compromised Fortinet‑related credentials.”
Fortinet, founded in 2000 by brothers Ken and Michael Xie and headquartered in Sunnyvale, California, markets a portfolio of security solutions, including the FortiGate next‑generation firewall. The company has traded on Nasdaq since 2009 and serves enterprises, service providers, and government agencies.
Because the breach spans 194 countries, numerous well‑known corporations may be impacted. Firms that depend on FortiGate devices for remote access—such as Chevron, Comcast, and Samsung—could find their perimeter defenses compromised. While the attack does not target home users directly, the breached firewalls can become footholds for attackers seeking internal resources.
Fortinet has yet to release a public statement. Industry observers emphasize that the breach underlines the necessity of strong, unique passwords and multi‑factor authentication on network perimeter devices. It also demonstrates how attackers can harness high‑performance computing clusters to conduct credential stuffing at scales previously impractical.
FortiBleed represents the most extensive credential‑exposure campaign targeting Fortinet products to date. Earlier incidents—like the 2022 Belsen Group leak that exposed 15,000 devices—were smaller in scope. This breach signals a shift toward large‑scale, automated attacks that depend on credential reuse instead of software exploits.
Security researchers point out that the attack’s success hinged on the attackers’ capacity to iterate through billions of password combinations rapidly. By deploying GPU clusters without guardrails, they could test credentials against millions of devices in a short span, raising concerns about the security of cloud‑based compute resources that can be rented or accessed by malicious actors.
In reaction to the leak, several organizations have started auditing their FortiGate configurations. The Fortinet community has issued guidance on hardening firewall passwords and enabling two‑factor authentication. The long‑term impact will hinge on how swiftly affected companies replace compromised credentials and uncover any additional vulnerabilities in their network perimeter.
FortiBleed remains an active threat. Attackers continue probing devices omitted from the initial dataset, and the leaked credentials could be leveraged in future attacks. The incident underscores that credential security remains a critical component of network defense, particularly for edge devices.
As the situation unfolds, security teams are urged to use the Hudson Rock lookup tool to verify whether their FortiGate URLs appear in the leaked dataset. Fortinet’s response, along with any patch or mitigation guidance, is expected to follow as the company investigates the breach.
In summary, the FortiBleed incident reveals a massive credential‑exposure campaign that has compromised almost 74,000 Fortinet firewalls worldwide. By leveraging a large GPU cluster to execute billions of credential attempts, the attackers exposed the widespread use of weak or reused passwords. The breach highlights the necessity of stronger authentication practices on network perimeter devices and the potential misuse of high‑performance computing resources in cybercrime.
