DEV Community

Hamza
Hamza

Posted on • Originally published at tekmag.thsite.top

FortiBleed: Over 86,000 Fortinet Firewalls Compromised in Massive Global Credential Harvesting Campaign

#cybersecurity #security #databreach #firewall

The Largest Firewall Compromise of 2026

Cybersecurity researchers have uncovered a sweeping global campaign — dubbed "FortiBleed" — that has compromised over 86,644 Fortinet FortiGate firewalls across 194 countries, making it one of the most pervasive network infrastructure attacks in recent history. The campaign, first reported by security researcher Bob Diachenko and confirmed by TechCrunch, exploits weak credential hygiene rather than any zero-day vulnerability — a troubling reminder that the simplest attack vectors often cause the most damage.

Victims include Fortune 500 giants such as Oracle, Samsung, Lenovo, Accenture, Foxconn, Siemens, Comcast, and PwC , alongside government agencies and NATO contractors. The CISA has issued a formal warning urging all Fortinet customers to take immediate action.

How FortiBleed Works

Unlike traditional attacks that exploit software flaws, FortiBleed relies on a devastatingly simple method: automated credential stuffing using passwords leaked from previous breaches. The attackers scan the internet for exposed Fortinet management interfaces, then break in using default, weak, or previously compromised credentials.

A Self-Feeding Attack Loop

What makes FortiBleed especially dangerous is its self-sustaining architecture, as detailed by cybersecurity firms Hudson Rock and SOCRadar:

  • Scan: Automated tools identify internet-exposed Fortinet firewalls globally.
  • Breach: Attackers use credential-stuffing techniques with leaked passwords.
  • Listen: Once inside, the compromised device becomes a listening post, monitoring all traffic.
  • Harvest: Fresh credentials flowing through the device are captured and fed back into the scanning loop.

According to SOCRadar's report, the attackers have organized their haul into a structured database categorized by country, industry sector, and company revenue — suggesting sophisticated operational planning rather than opportunistic hacking.

Massive Scale and Global Reach

The numbers are staggering. Arctic Wolf's analysis confirms the campaign spans 194 countries, with the highest concentrations in India, the United States, Taiwan, and Mexico. The most affected sectors include IT services, telecommunications, construction materials, and government agencies.

Independent security researcher Kevin Beaumont analyzed the leaked dataset and confirmed the credentials are legitimate. Hudson Rock found that generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) make up the majority of compromised credentials — a damning indictment of enterprise security practices in 2026.

Context: A Year of Escalating Threats

FortiBleed follows an already brutal year for cybersecurity. Earlier in 2026, the DOGE data breach and ShinyHunters campaigns dominated headlines — which we covered in our roundup of 2026's worst cybersecurity breaches. Supply chain attacks have also grown more sophisticated, with over 15,000 GitHub repositories infected with malware earlier this year. And the rise of AI-powered cyber threats has added a new dimension to the challenge.

What Organizations Should Do Now

Fortinet has stated that the breach is not related to any new vulnerability in its products, but rather "a resharing of data from previous incidents and brute-forcing of credentials." Nonetheless, CISA has urged all organizations using Fortinet devices to:

  • Immediately rotate all admin credentials on FortiGate devices.
  • Disable default accounts and enforce multi-factor authentication (MFA).
  • Restrict management interfaces to trusted IP addresses only — never expose them to the public internet.
  • Audit logs for unauthorized access and check credentials against Hudson Rock's free lookup tool at breached.company.

The Bigger Picture

FortiBleed is a wake-up call that the fundamentals of cybersecurity — password hygiene, access control, and network segmentation — remain the most critical defenses, even in an era of AI-powered security tools. As attackers increasingly turn to low-tech methods with devastatingly high-tech automation, the weakest link in any organization's security posture is still the same: human oversight.

Originally published on TekMag

Top comments (0)