FortiBleed: 430,000+ FortiGate Firewalls Compromised, 110 Million Credentials Stolen
A massive credential-harvesting campaign dubbed FortiBleed has silently compromised over 430,000 FortiGate firewalls globally, stealing 110 million+ credentials from live network traffic since February 2026.
What is FortiBleed?
FortiBleed is a large-scale, industrialized credential collection operation that turned enterprise-grade FortiGate firewalls into covert listening posts. The campaign, tracked by SOCRadar's Threat Research Unit, has been active since at least February 2026.
Every FortiGate firewall sits at the boundary of a network, where it sees all authentication traffic passing through it. Attackers exploited this privileged vantage point by abusing a native FortiOS built-in diagnostic command `diagnose sniffer packet` to intercept and extract usernames, passwords, and password hashes from live traffic in real time.
The Scale of the Attack
The numbers are staggering:
The campaign is global, with India (11.4%) and the United States (10.1%) leading by affected domains, followed by Taiwan, Mexico, Turkey, the UAE, and Malaysia.
How the Attack Works
SOCRadar identified a methodical five-phase attack chain:
Phase 1: Reconnaissance
Attackers use leaked credentials, custom wordlists, and scanning tools to identify exposed FortiGate devices and profile targets.
Phase 2: Initial Access
After gaining SSH access through brute-force attacks, the attackers establish a foothold on the device.
Phase 3: Traffic Harvesting
A custom FortiGate sniffer captures sensitive traffic and extracts credentials and authentication hashes in real time.
Phase 4: Credential Exploitation
Stolen hashes are cracked and used for Active Directory enumeration, privilege escalation, and credential reuse across the network.
Phase 5: Data Exfiltration
Attackers steal data from SMB/DFS shares and replay captured web cookies to hijack authenticated sessions and maintain persistent access.
The Access Broker Behind FortiBleed
Researcher Volodymyr "Bob" Diachenko discovered a live, exposed server containing working login credentials for tens of thousands of Fortinet firewalls. The server was left open by accident, complete with tools, logs, scripts, and a credential catalog.
The operation ran on mostly off-the-shelf parts:
When the breach made news, the broker didn't go quiet — they updated a live auction, raised prices, and cited news coverage as an authenticity guarantee.
How to Protect Your Organization
Immediate Actions
1. **Rotate all FortiGate VPN and admin credentials** immediately
2. **Enforce multi-factor authentication** on all management interfaces
3. **Remove management interfaces from direct internet exposure**
4. **Search logs for FortiBleed indicators** including FortigateSniffer artifacts
Detection Queries
Look for:
Long-Term Hardening
Check Your Domain Security
Use Vaarta.space to scan your domain for exposed services and misconfigurations that could make you a target for campaigns like FortiBleed.
[Scan your domain now](https://vaarta.space)
Related Articles
Ransomware as a Service (RaaS) in 2026 — The Underground Economy Explained
Understand how RaaS platforms operate, who the major players are, and how to protect your organization from the fastest-growing cybercrime model.
2026-06-15ShinyHunters Gang: How a Single Cybercriminal Group Breached Oracle, Instructure, and the FBI in 2026
The ShinyHunters extortion gang is behind some of the worst breaches of 2026 — Oracle PeopleSoft zero-day, Instructure Canvas (30M+ students), FBI surveillance systems, and 7-Eleven. Learn how they operate and how to protect your organization.
2026-06-24Tata Electronics Breach Exposes Apple and Tesla Trade Secrets — 200,000 Files Leaked
Ransomware group World Leaks posted 630GB of Tata Electronics data including Apple iPhone manufacturing specs and Tesla engineering drawings labeled "TRADE SECRET" on the dark web.
Ready to check your domain security?
Run a free scan to identify potential vulnerabilities.
Start Free Scan