FortiBleed: 75,000 Fortinet Firewalls Exposed by Stolen Credentials

What Happened?

On June 26, 2026, security researchers revealed the existence of a leaked dataset containing access credentials for Fortinet FortiGate firewalls. The file, dubbed 'FortiBleed', includes usernames, emails, and plaintext passwords corresponding to 73,932 unique devices across 194 countries, affecting over 21,000 domains. According to The Next Web, the origin of the credentials is not a zero-day vulnerability but the use of old, weak, or reused passwords obtained through brute-force attacks or previous leaks. This discovery was made by a team of researchers who analyzed underground forums and dark web markets, where the dataset was being sold for an undisclosed amount. The credentials range from small businesses to large corporations and government entities, with a significant concentration in the United States (18% of devices), followed by the United Kingdom, Germany, and Brazil.

Why Is This Important?

Fortinet firewalls are critical components in the network infrastructure of many companies, governments, and service providers. Exposed credentials allow attackers to access internal networks, deploy ransomware, steal data, or establish persistence. This incident echoes the 'FortiOS 0-day' case of 2023, where a critical vulnerability (CVE-2022-40684) allowed attackers to bypass authentication on tens of thousands of FortiGate firewalls. However, the key difference is that FortiBleed did not exploit a technical vulnerability but rather poor security practices, such as weak, reused, or previously leaked passwords. The scale of the leak (nearly 74,000 devices) makes it one of the largest of its kind, surpassing even the Citrix ADC credential incident in 2020 that affected 25,000 devices. Moreover, the fact that passwords are in plaintext suggests attackers managed to extract them from configuration files or internal databases, indicating prior access to centralized management systems.

Consequences

• Immediate risk of intrusions: Leaked credentials can be used to access corporate VPNs and internal networks. Since many organizations do not rotate passwords frequently, attackers could have a window of opportunity lasting weeks or months. Historical data shows that 60% of credential leaks result in unauthorized access within the first 30 days.
• Reputational damage for Fortinet: Although not a product vulnerability, the association with previous security failures (like the 2023 zero-day) may erode customer trust. Fortinet has issued a statement noting that the incident is not due to a flaw in its products but to poor user practices, but the market could react negatively, especially if it is shown that the company did not adequately promote security best practices.
• Increased regulatory scrutiny: Affected organizations could face fines for non-compliance with regulations such as GDPR or CCPA if negligence in password management is proven. For example, under GDPR, fines can reach 4% of annual global revenue. Additionally, regulated sectors like finance and healthcare could face extra audits.
• Security recommendations: Fortinet has urged customers to change passwords, enable multi-factor authentication (MFA), and review access logs. However, MFA adoption is not universal, and many organizations still rely solely on passwords. This incident could accelerate the adoption of passwordless or certificate-based access solutions.
• Impact on the cyber insurance market: Cyber insurance premiums could rise for organizations using Fortinet firewalls, especially if they fail to follow best practices. Moreover, claims related to this incident could increase costs across the sector.

What Should Readers Know?

If your organization uses Fortinet firewalls, you should assume your credentials may be compromised and act immediately: change passwords, rotate API keys, review unauthorized access, and update firmware. For the general public, this incident reinforces the need to use unique, strong passwords and enable MFA whenever possible. It has not been confirmed that attackers have actively exploited all credentials, but the risk is high. Historically, similar leaks have led to high-profile ransomware attacks, such as the Colonial Pipeline case in 2021, where a compromised VPN password allowed network access. Additionally, users should be alert to potential phishing campaigns that use these credentials to gain credibility. It is recommended to monitor services like Have I Been Pwned to check if your emails are in the leak. Finally, this event underscores the importance of password hygiene and the need for network device manufacturers to implement stricter measures, such as banning weak default passwords and mandating MFA.