FortiBleed Leak Exposes Credentials of 75,000 Fortinet Firewalls in 194 Countries

The database containing credentials for 73,932 Fortinet firewalls spread across 194 countries began circulating on June 18, according to Ukrainian researcher Volodymyr "Bob" Diachenko, who identified the server. The set includes usernames, emails, and plain text passwords from FortiGate devices and VPN gateways, with over 21,000 corporate domains listed. Notable names such as Oracle, Chevron, Lenovo, FedEx, Foxconn, Samsung, Comcast, Siemens, DHL, Infosys, PwC, Accenture, and a NATO defense contractor appeared in the list.

The campaign, dubbed FortiBleed in early reports, has been attributed to a group of Russian-speaking criminals. Analysts who accessed the material described 1.16 billion credential attempts against 320,777 FortiGate targets, coupled with another 2.1 billion brute force attacks against 163,650 Microsoft SQL Server instances.

Fortinet and CISA's Response

Fortinet issued a statement indicating it is aware of the "third-party credential harvesting campaign targeting Fortinet firewalls and VPN gateways." The company attributes the material to "a reuse of data from previous incidents, combined with credentials obtained through brute force," and denies that any new vulnerability exists in the product. "So far, we have found no evidence that Fortinet has been compromised or that this activity is related to a zero-day," the company stated in a public announcement.

On the same day, June 18, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert for federal and private organizations in the U.S. to bolster their Fortinet installations exposed to the internet. The Hong Kong Cybersecurity Coordination Center (HKCERT) released a simultaneous notice, citing the risk for local companies. Even with Fortinet rejecting the zero-day label, the number of plaintext credentials functioning today is what alarms SOC teams: each valid username-password pair is an open door until the password is changed.

Why This Leak is Different

The significance of FortiBleed lies less in the method and more in the scale of the mix between management and VPN. In edge firewalls, the same set of credentials can open the device console and the tunnel carrying corporate traffic. For a multinational with offices in dozens of countries, this turns a single compromised firewall into a bridge to the entire internal network. The affected list includes names operating in industrial sectors (Siemens, Foxconn, Samsung), logistics (FedEx, DHL), and advisory (Accenture, PwC), spanning geographies from South Korea to Germany.

Arctic Wolf, in a technical analysis published also on June 18, notes that the campaign is "active" in the sense of continuing login attempts, but that the acquisition of the data may date back to months prior, consolidating different incidents into a single dossier. For the company, it's more curatorial than a new leak, contrasting with the framing of an "unprecedented attack" that circulated on social media.

C-Level Reading

For the CIO of a multinational, there are three immediate fronts to address. The first is to run the IOC published by CISA against the firewalls of the operation, even where the security area asserts that credentials have been rotated after last year's Belsen leak. The second is to verify the Fortinet-based VPN used by smaller branches, where MFA may still not be enforced. The third is to demand from the managed services partner (Accenture, PwC, Infosys, Capgemini, all listed as affected companies as end clients or through their clients) the details of what they are running behind the Fortinet edge.

The key data to follow in the next 72 hours is whether any of the names mentioned by Diachenko issue an official statement. As of the closure of this article, none of the corporate clients listed had publicly commented on direct exposure. Silence in these circumstances usually indicates ongoing internal evaluation, not absence of impact.