A Russian-speaking group cracked credentials for nearly 74,000 Fortinet firewalls across 194 countries. Oracle, Lenovo, Chevron, AT&T, FedEx, Samsung, Siemens, PwC, and a Turkish NATO defence contractor are all on the victim list. Almost all of those firewalls were still online when researchers found them.
The FortiBleed credential breach, disclosed on 17 June 2026, is one of the largest corporate credential exposures in recent memory — and it did not require a new vulnerability. Researchers discovered that a multi-operator, Russian-speaking cybercriminal group systematically harvested plaintext authentication credentials from 73,932 Fortinet firewall and VPN devices across 21,632 unique domains in 194 countries. The victim list spans virtually every sector of the global economy. Hudson Rock and reporting from BleepingComputer name Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Siemens, Lenovo, PwC, Accenture, and Oracle, alongside numerous government agencies. Additionally, researchers confirmed that a Turkish NATO defence contractor suffered a full network breach — with classified defence documents exfiltrated in the process. Security researcher Bob Diachenko of SecurityDiscovery.com discovered the data after gaining access to the attackers’ command-and-control server. Independent researcher Kevin Beaumont then confirmed the credentials were real — and active. aol
What’s Happening & Why It Matters
FortiBleed Is Not a Vulnerability — It Is Credential Reuse at Industrial Scale
The FortiBleed credential breach is named deliberately to echo Heartbleed — but the two share only the scale. Despite the name’s echo of Heartbleed, FortiBleed is not a single CVE. It is the byproduct of an industrial-scale credential operation. The attack begins simply. According to Diachenko’s analysis, a multi-operator, Russian-speaking cybercriminal group systematically scanned the internet for exposed Fortinet instances, then tested them against historical credential databases harvested by infostealer malware. Most organisations use the same passwords across multiple systems. Many fail to rotate credentials after previous breaches. The attackers exploit exactly that gap. aolaol
Where credentials matched, the operators captured SSL VPN authentication hashes and cracked them offline using a 45-GPU cluster orchestrated through Hashtopolis. Password complexity offered no protection. The most sobering takeaway from this dataset is that password complexity offered zero protection. The group did not pick a lock. It simply tried every key it had already collected. aolBenzinga
How the Attack Escalates: Active Directory Is the Real Target
The FortiBleed credential breach does not stop at the firewall. Once inside a Fortinet device, the attackers move immediately to the organisation’s core identity infrastructure. In several cases, the threat actors compromised the devices and then went on to access the company’s centralised authentication system. Specifically, that means Microsoft Active Directory and RADIUS servers — the two systems that control identity and access across an entire enterprise network. Furthermore, the breach creates a self-reinforcing cycle. Once attackers gain Active Directory access, they can harvest credentials for every other system connected to that directory. Each compromise feeds the next. The attacks have shifted from exploiting individual CVEs to industrialising the credentials those exposures produced. SpaceNewsaol
The NATO Defence Contractor — Classified Documents Stolen
The most severe confirmed consequence of the FortiBleed credential breach is not corporate. Diachenko’s research confirmed full network compromises at organisations across Japan, Taiwan, Vietnam, Iraq, and Turkey — most critically, including a Turkish NATO defence contractor from which classified defence documents were successfully exfiltrated. That confirmation elevates FortiBleed from a corporate data incident to a national security event. NATO has not issued a public statement as of 18 June. Benzinga
The victim skew is also geographically pointed. The victim list skews heavily toward NATO member countries, which suggests money is not the only motive. By contrast, Fortinet denied that the data represents new attacks. The company characterised the information as “reshared data from previous incidents.” Diachenko and Beaumont both dispute that framing directly — Beaumont specifically confirmed the credentials are current and active, not historical. SpaceNews
“Almost All” Compromised Devices Remain Online
The FortiBleed credential breach carries an ongoing risk that distinguishes it from historical data leaks. Independent researcher Kevin Beaumont reported that “almost all” of the compromised devices remained online as of Wednesday morning. That detail is critical. A breach affecting only decommissioned or patched systems is a historical problem. A breach affecting devices that are still operational is an active and ongoing one. Every compromised Fortinet firewall that remains online with unchanged credentials is an open door — right now. aol
As TF covered in its Mythos Project Glasswing expansion article, the 150 organisations receiving access to Anthropic’s most advanced security AI were selected specifically because a successful attack on their systems would affect over 100 million people. FortiBleed demonstrates exactly why that programme exists. The same critical infrastructure operators who need Mythos-level vulnerability scanning are the organisations whose Fortinet VPN credentials now sit in a 45-GPU Russian cracking cluster.
The Fortinet Track Record — FortiBleed Is Not Isolated
The FortiBleed credential breach sits within a documented pattern of Fortinet-related security incidents across 2026. February 5, 2026: Fortinet suffered CVE-2026-24858, a CVSS 9.4 FortiCloud SSO bypass — the fourth authentication-bypass flaw in eight weeks. February 22, 2026: a single actor used off-the-shelf AI tooling to breach 600-plus FortiGate firewalls across 55 countries in five weeks. May 27, 2026: attackers weaponised the patch cycle itself, delivering the EKZ infostealer disguised as a Fortinet update. June 17, 2026: FortiBleed — 73,932 firewalls’ credentials surface in a single dataset. aol
The progression is clear. Individual CVEs became credential harvesting. Credential harvesting became industrial-scale cracking. Industrial-scale cracking became a classified NATO document theft. The through-line is unmistakable: the attacks have shifted from exploiting individual CVEs to industrialising the credentials those exposures produced. aol
What Affected Organisations Must Do — Right Now
The required response to the FortiBleed credential breach is unglamorous but non-negotiable. Security researchers at Hudson Rock, SOCRadar, and Arctic Wolf all published matching guidance on 17 June. Rotate every Fortinet administrator and VPN password immediately. Enforce multi-factor authentication on all Fortinet management interfaces. Review access logs for authentication events that should not exist. Restrict internet-facing management ports to known IP ranges. Update FortiOS firmware to the current release. Treat the network perimeter as already compromised until verified otherwise. By contrast, the most common failure that FortiBleed exploits is passive — organisations that skipped password resets after earlier Fortinet incidents are already on the attackers’ verified credential list.
TF Summary: What’s Next
Fortinet has issued a brief statement to financial regulators but no detailed public technical response. Affected organisations — most of which have not publicly acknowledged the breach — face immediate decisions about credential rotation and Active Directory remediation. NATO and the Turkish defence ministry have not commented on the classified document exfiltration. Diachenko and Beaumont continue publishing technical details as they confirm additional information.
MY FORECAST: The FortiBleed credential breach will produce a wave of delayed public disclosures from affected organisations over the next 30 to 60 days — as security teams complete forensic assessments of what the attackers actually accessed. By contrast, the most consequential outcome will not be the corporate disclosures. It will be the NATO intelligence damage assessment. Classified defence documents exfiltrated from a Turkish NATO contractor by a Russian-speaking group, during a period of active US-European tension over AI sovereignty, carry geopolitical weight that no corporate breach can match. The Cybersecurity and Infrastructure Security Agency (CISA) will issue an emergency directive requiring immediate Fortinet credential rotation across all US government systems — likely within 72 hours of this article publishing. And the Fortinet pattern of 2026 — four separate authentication failures feeding a single credential harvest — will become the case study that security architects cite for the next decade when arguing against password-dependent perimeter security.
Related Stories
FOCUS KEYPHRASE: FortiBleed Fortinet credential breach Oracle Lenovo NATO 2026
SLUG: /fortibleed-fortinet-credential-breach-oracle-lenovo-nato-2026
META DESCRIPTION: FortiBleed exposed credentials for 73,932 Fortinet firewalls across 194 countries on 17 June 2026 — hitting Oracle, Lenovo, NATO, AT&T, and more. Almost all devices remain online. Here’s the full story.
TAGLINE: A Russian-speaking group cracked credentials for 74,000 Fortinet firewalls and walked into Oracle, Lenovo, NATO, and dozens more. Almost all of those firewalls are still online. Here is the full story.
EXCERPT: FortiBleed — disclosed 17 June 2026 — exposed plaintext credentials for 73,932 Fortinet firewall devices across 194 countries, targeting Oracle, Lenovo, Chevron, AT&T, Samsung, Siemens, PwC, Accenture, and a Turkish NATO defence contractor where classified documents were stolen. The attack used credential reuse and a 45-GPU cracking cluster — not a new vulnerability. Almost all compromised devices remain online. Here is the full story.
INTERNAL LINKS:
- Mythos Project Glasswing → https://techfyle.com/anthropic-mythos-project-glasswing-expansion-150-partners-2026
- Cybercrime round-up → https://techfyle.com/cybercrime-security-news-botnet-fifa-ai-extremism-mistral-2026
- TF Cybercrime round-up → https://techfyle.com/russia-eks-satellite-continental-gps-jamming-europe-2026
IMAGE ALT TEXT: GP hero: “FortiBleed Fortinet credential breach Oracle Lenovo NATO 74000 firewalls 2026”
SEO & META TAGS: FortiBleed Fortinet credential breach, Fortinet firewall hack 2026, FortiBleed 74000 firewalls, Oracle Fortinet breach, Lenovo Fortinet credentials, NATO defence contractor classified documents, FortiBleed Russian cybercriminal group, Bob Diachenko FortiBleed, Kevin Beaumont FortiBleed, Hudson Rock FortiBleed, SOCRadar Fortinet credential, Hashtopolis GPU credential cracking, Fortinet Active Directory breach, FortiBleed AT&T Chevron Samsung Siemens, Fortinet 194 countries credential, FortiBleed vs FortiLeak, Fortinet CVSS 9.4 2026, FortiBleed NATO Turkey classified, CISA Fortinet emergency directive, Fortinet credential rotation MFA, TechFyle, techfyle, techfyle news, tf news, tf, tf tech week in review, tf twr, tech week in review, tech week in review podcast, twr podcast