Dateline: June 17, 2026
A Hacking Group Quietly Collected Working Passwords for 30,000 Firewalls
Thirty thousand corporate firewalls, working passwords for every single one, and the attacker did not even need to break a sweat. That is the picture researchers just uncovered behind a quiet, ongoing campaign against Fortinet devices.
What Happened?
Threat intelligence firm SOCRadar found the operational server of a hacking group that has spent months breaking into Fortinet firewalls and VPN gateways worldwide. The server held more than the usual stolen data dump. It held the tools, the automation scripts, and a working database of 30,791 confirmed login credentials spanning 194 countries. SOCRadar is calling the campaign FortiBleed and rating it Critical.
FortiBleed, by the Numbers
The attack runs on two steps, and both repeat without a person touching a keyboard. First, the group tests a list of previously leaked Fortinet passwords against devices exposed on the internet, mostly through port 443, the standard port for Fortinet’s SSL VPN interface.
Many of those passwords work because the organizations never changed them after an earlier breach. Once inside a device, the attackers quietly watch the traffic flowing through it and pull out any fresh credentials that pass by. Those new passwords get fed straight back into the scanner, which then finds more devices to break into. The system feeds itself.
The victim list reads like a global business directory. Telecom companies got hit hardest, with over 5,600 credential entries. Government agencies show up across 111 domains, and the researchers found credentials tied to what looks like a defense industry VPN, hinting the operation may have goals beyond money.
A System That Feeds Itself
No human needed once the loop starts running
Scanner tests old leaked Fortinet passwords against devices online
Working logins get saved to the attacker’s growing database
Attackers quietly watch traffic on each compromised device
Fresh credentials spotted in that traffic get harvested too
India and the United States together account for close to a third of all stolen entries. The tooling and the heavy focus on countries tied to NATO point toward Russian speaking operators, though attribution work is still ongoing.
The Impact
What makes this so dangerous is how unglamorous the entry point is. Most of the stolen logins trace back to generic admin accounts and built in Fortinet system accounts, the kind that get set up by default and never touched again. No exploit needed. No zero day required. Just a password nobody bothered to change, sitting on a firewall facing the open internet. If your organization shows up in this dataset, treat it as a confirmed break in, not a warning.
How to Avoid This
Change every admin and VPN password on your Fortinet devices today, especially any that have not been rotated in years. Turn on two factor authentication for every admin and remote access account. Pull your management interfaces off the public internet if they are currently reachable, since that alone removes a huge chunk of the exposure. Review login history for anything unfamiliar, then update firmware to close known gaps attackers rely on.
What Actually Made This Possible
No zero day vulnerability needed
No advanced exploit chain required
Just default and never rotated passwords on internet facing firewalls
Default Passwords Age Into Open Doors
Secure.com helps security teams find the exposed accounts and forgotten passwords attackers count on before a campaign like FortiBleed finds them first.
- Flags devices still running default or unrotated credentials before they end up in an attacker’s database
- Surfaces management interfaces and admin panels exposed to the public internet
- Cross checks your asset list against known compromised credential dumps as they surface
- Helps prioritize patching and password rotation based on what is actually being exploited right now
- Gives security teams one place to track exposure across every firewall and VPN gateway in the environment
