SECURITY & PRIVACY
FortiBleed: The 74,000-Firewall Breach That Hit Oracle, FedEx, and a NATO Contractor
·
Security & Privacy
·
June 21, 2026
A cybercriminal group has compromised roughly 74,000 Fortinet firewalls across 194 countries, exposing plaintext credentials for some of the world’s largest organisations — including Oracle, Chevron, Lenovo, FedEx, a Turkish NATO defence contractor, and Fortinet itself. Security researchers are calling it the most consequential firewall breach campaign ever documented.
Discovered by independent researcher Bob Diachenko and analysed by Hudson Rock, the campaign — now dubbed FortiBleed — is not the result of a single zero-day exploit. It is an automated, industrial-scale credential harvesting operation that has been running for months, possibly longer. The attackers scanned the internet for exposed FortiGate management interfaces, brute-forced credentials using a custom 25,000-thread binary, and cracked intercepted SSL VPN authentication hashes on a dedicated 45-GPU cluster. Once inside, they moved laterally into Active Directory environments and, in at least one confirmed case, exfiltrated classified defence documents.
This is not a theoretical risk. CISA issued an emergency alert on June 18 urging all affected organisations to assume compromise. Hudson Rock’s search engine allows any domain owner to check if their credentials are in the dataset. If your organisation uses Fortinet, you need to act on this today — not next week.
1. The Scope: Bigger Than Anything We Have Seen
The numbers are staggering. Security researcher Bob Diachenko discovered an open server containing credential data for 73,932 unique Fortinet firewall URLs spanning 21,632 domains in 194 countries. According to Shodan polling, that represents roughly half of all internet-facing Fortinet devices worldwide.
The compromised organisations span nearly every sector of the global economy: IT services, construction, telecommunications, financial services, industrial equipment, and government agencies across the US, India, Taiwan, Mexico, Turkey, and Thailand. The data includes industry, revenue, and employee count for each affected organisation — a complete corporate fingerprint.
“The scale of this breach touches nearly every sector of the global economy, sparing no industry,” Hudson Rock wrote in its analysis. Ukrainian-born independent researcher Kevin Beaumont confirmed that “almost all” compromised devices remained online as of June 18, and that credentials he verified with multiple organisations were real and current.
This is not a breach of one company’s servers. It is a global infrastructure-level compromise that has handed attackers a master key to tens of thousands of corporate networks simultaneously.
IT teams worldwide are scrambling to assess whether their Fortinet firewalls appear in the FortiBleed credential dump.
2. How They Did It: A New Breed of Brute-Force
What makes FortiBleed different is not just its scale — it is the sophistication of the attack methodology. The threat actor, believed to be a Russian-speaking cybercrime group, built a custom cracking infrastructure that security researchers describe as unprecedented in its automation and intelligence.
Phase 1: Mass Discovery
The group mass-scanned the internet for exposed FortiGate remote login endpoints. They then deployed a custom binary using 25,000 simultaneous threads to spray hundreds of thousands of endpoints with login and password combinations. This alone is orders of magnitude more aggressive than typical brute-force campaigns.
Phase 2: Hash Cracking at Scale
Once inside, the attackers intercepted SSL VPN authentication hashes and cracked them using a dedicated 45-GPU cluster managed via Hashtopolis. The cracking logic was recursive and self-improving: a “feedback-driven, 12-level recursive system” that fed successful password guesses back as seeds for further rounds. Custom dictionaries combined up to eight words with common keyboard patterns and sophisticated cracking rules.
Phase 3: Lateral Movement
With working credentials, attackers pivoted from the Fortinet devices into internal networks — notably Active Directory environments and Radius servers. Hudson Rock confirmed full network compromises at organisations across Japan, Taiwan, Vietnam, Iraq, and Turkey. The most alarming case: a Turkish NATO defence contractor from which classified defence documents were exfiltrated.
“The scale is the sophistication.” — Bob Diachenko, security researcher who discovered the FortiBleed data
3. Who Is Affected
The breadth of impacted organisations is extraordinary. Hudson Rock’s dataset includes credentials from:
Source: Hudson Rock / Bob Diachenko verified credential dataset
Beyond these names, the database lists thousands of others including major government agencies and critical infrastructure providers. Five government entities in Puerto Rico alone had nearly 120 distinct credentials swept up in the campaign. Agencies in Washington, Nevada, and South Carolina states also appeared in the data.
The most impacted countries by device count: India, the United States, Taiwan, Mexico, Turkey, and Thailand. The top affected industries: IT services, construction materials, telecommunications, construction and engineering, industrial equipment, and financial services.
4. Fortinet’s Response — and What Is Missing
Fortinet acknowledged the campaign in a statement, saying the stolen credentials were drawn “from previous incidents” and that the malicious activity was “not related to any recent incident or advisory.” The company has not confirmed any new vulnerability, nor has it issued a patch or emergency firmware update.
CISA was faster to act. The US cyber defence agency issued an emergency alert on June 18 warning that threat actors are actively exploiting the compromised Fortinet credentials across government and private sectors. The FBI, Office of the National Cyber Director, and cybersecurity agencies in India and Taiwan have not yet issued public statements.
The key question remains unanswered: How did the attackers initially obtain the configuration data? Researchers have not confirmed whether this stems from a previously undocumented vulnerability, an old CVE still being exploited at scale, or a supply chain compromise at Fortinet itself.
An estimated 50% of all internet-facing Fortinet devices were compromised in the FortiBleed campaign.
5. What to Do If You Use Fortinet
If your organisation uses Fortinet firewalls or VPN gateways, assume you are affected until proven otherwise. Here is your action plan:
6. Broader Implications for Enterprise Security
FortiBleed is not just a Fortinet problem. It signals a fundamental shift in how cybercriminals operate. The combination of AI-assisted tooling (including code editors like Cursor), GPU-accelerated hash cracking, and recursive password guessing represents a new tier of capability for initial access brokers.
The attacker, operating under the alias “SantaAd,” has been auctioning access to compromised networks on underground forums. Prices started at approximately $25,000 per network and rose to $60,000 after public reporting of FortiBleed — a textbook example of how threat actors monetise their findings before defenders even know they have been breached.
| Threat | Before FortiBleed | After FortiBleed |
|---|---|---|
| Attack velocity | Single-target brute-force | 25,000-thread mass-scanning |
| Password cracking | Single GPU dictionaries | 45-GPU self-improving recursive cluster |
| Lateral movement | Fragmented after initial breach | Automated AD compromise pipeline |
| Monetisation | Ransomware or data sale | Access broker auctions ($25k-$60k) |
| Attribution | Often unclear | Russian-speaking group, aliased as “SantaAd” |
Is your organisation on the FortiBleed list?
Check Hudson Rock’s free lookup tool now. If your domain appears, assume compromise and follow the remediation steps above. Security & Privacy covers the threats that actually matter — bookmark the section and stay ahead of the next one.
7. FAQ
FortiBleed is a massive data leak exposing credentials for roughly 74,000 Fortinet firewall and VPN devices across 194 countries. Discovered by researcher Bob Diachenko, the dataset includes plaintext passwords that attackers used to compromise corporate networks globally.
Independent security researcher Volodymyr “Bob” Diachenko first identified the exposed server. Hudson Rock and Kevin Beaumont independently analysed and verified the data.
No. FortiBleed is not the result of a single new vulnerability. The attackers used mass brute-forcing of weak credentials and cracking intercepted authentication hashes with a 45-GPU cluster. Fortinet states the data aggregates information from previous incidents and ongoing brute-force activity.
Hudson Rock provides a free search engine at hudsonrock.com/fortinet. Enter your organisation’s domain to check if credentials appear in the dataset.
Assume full compromise. Rotate all credentials immediately, enforce MFA, upgrade FortiOS firmware, remove management interfaces from the internet, and audit Active Directory for signs of lateral movement.
Yes. CISA issued an emergency alert on June 18, 2026, urging all affected organisations to take immediate action. The FBI and other agencies have not yet issued public statements.
- Ars Technica — Massive breach spills credentials for thousands of sensitive networks
- Hudson Rock — FortiBleed: 75,000 Fortinet Firewalls Compromised
- TechCrunch — Cybercriminals allegedly hacked tens of thousands of Fortinet firewalls
- BleepingComputer — FortiBleed leak exposes Fortinet VPN credentials
- Help Net Security — 74,000 Fortinet firewall credentials exposed
- Insurance Journal / Reuters — Major Hack Campaign Against Fortinet Devices
- SpyCloud — Inside the FortiBleed Threat Actor Infrastructure
All sources accessed June 17–21, 2026. This article links to external reporting for reference and does not feature affiliate links.
Related on Networkcraft: Read our previous coverage — Supply Chain Attacks: 2026’s 60% Rise Explained from our Security & Privacy section.