A devastating cyber espionage campaign now dubbed FortiBleed has silently compromised over 73,932 unique Fortinet firewall URLs spanning 194 countries. Originally uncovered by security researcher Volodymyr “Bob” Diachenko and subsequently analyzed by Hudson Rock, this campaign exposes a highly automated, industrial-scale operation targeting FortiGate devices and SSL VPN gateways at an unprecedented global scale — and fundamentally dismantles the concept of “strong passwords” as a perimeter defense.
The Ransomfeed project created a search engine for this leak FortiBleed.
The Scale of the Attack
Threat actors executed an estimated 1.16 billion credential-based attempts against over 320,000 FortiGate targets, while simultaneously launching an additional 2.1 billion brute-force attempts against more than 160,000 MSSQL servers, resulting in 21,632 unique compromised domains. The operation is attributed to a multi-operator, Russian-speaking cybercriminal group whose methodology goes well beyond simple credential stuffing.
The group systematically swept the internet for exposed Fortinet instances, testing them against vast repositories of historical credential leaks harvested by infostealer malware. Once an initial foothold is established, attackers pivot directly into internal Active Directory environments, enabling deep, persistent network access that survives routine security checks.
The SSL VPN Hash Interception Technique
One of the campaign’s most alarming technical vectors is the active interception of SSL VPN authentication hashes, which are subsequently cracked offline using a dedicated 45-GPU cluster managed via Hashtopolis. This means even organizations that believe their encrypted credentials are safe are actively exposed. Once the perimeter is breached, operators monitor traversing traffic to harvest additional logins, creating a self-reinforcing cycle of unauthorized access.
Who Was Compromised?
The scope of confirmed victims touches virtually every sector of the global economy. Diachenko’s research confirmed full network compromises at organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey — most critically including a Turkish NATO defense contractor from which classified defense documents were successfully exfiltrated. The attackers’ verified credential database includes some of the largest enterprises on the planet:
- Technology & Manufacturing: Foxconn, Samsung, Siemens, Lenovo, Oracle
- Professional Services: PwC, Accenture
- Telecommunications: Comcast
- Thousands of government entities and critical infrastructure providers worldwide
Why “Strong Passwords” No Longer Protect You
Perhaps the most sobering takeaway from this dataset is that password complexity offered zero protection. A significant volume of highly complex, 20-character passwords was successfully compromised — not by cracking them from scratch, but because they already existed in plaintext within previously harvested infostealer databases. When credentials are stolen at the endpoint level before encryption is applied, no amount of complexity saves them. This fundamentally undermines the “strong password” policy as a perimeter defense strategy.
Hudson Rock has launched a specialized online portal designed specifically for organizations to easily verify whether their domains are included in the database.
Mitigation Steps
Organizations running Fortinet devices must treat this as a critical, active threat and act immediately:
- Force Credential Rotation: Reset all Fortinet VPN and admin interface passwords without delay — complexity is irrelevant if credentials have already leaked.
- Enforce Universal MFA: Apply Multi-Factor Authentication across all external gateways to neutralize stolen plaintext credentials.
- Audit Gateway Logs: Review Fortinet access logs for anomalous login locations, unexpected admin sessions, or unusual traffic volumes.
- Restrict Management Interface Exposure: Apply local-in policies to restrict admin panel access to trusted internal IPs only, and disable FortiCloud SSO if not essential.
The FortiBleed campaign is a stark reminder that perimeter security is only as strong as the credentials protecting it, and in a world saturated with infostealer-harvested data, the perimeter has never been more fragile. Defenders must shift from password complexity policies toward credential theft detection, behavioral monitoring, and universal MFA adoption.
Source: Cyber Security News — June 17, 2026