A Russian-speaking group cracked credentials for nearly 74,000 Fortinet firewalls across 194 countries. Oracle, Lenovo, Chevron, AT&T, FedEx, Samsung, Siemens, PwC, and a Turkish NATO defence contractor are all on the victim list. Almost all of those firewalls were still online when researchers found them.
The FortiBleed credential breach, disclosed, is one of the largest corporate credential exposures in recent memory — and it did not require a new vulnerability. Researchers discovered that a multi-operator, Russian-speaking cybercriminal group systematically harvested plaintext authentication credentials from 73,932 Fortinet firewall and VPN devices across 21,632 unique domains in 194 countries. The victim list spans virtually every sector of the global economy. Hudson Rock and reporting from BleepingComputer name Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Siemens, Lenovo, PwC, Accenture, and Oracle, alongside numerous government agencies. Additionally, researchers confirmed that a Turkish NATO defence contractor suffered a full network breach — with classified defence documents exfiltrated in the process. Security researcher Bob Diachenko of SecurityDiscovery.com discovered the data after gaining access to the attackers’ command-and-control server. Independent researcher Kevin Beaumont then confirmed the credentials were real — and active.
What’s Happening & Why It Matters
FortiBleed Is Not a Vulnerability — It Is Credential Reuse at Industrial Scale
The FortiBleed credential breach is named deliberately to echo Heartbleed — but the two share only the scale. Despite the name’s echo of Heartbleed, FortiBleed is not a single CVE. It is the byproduct of an industrial-scale credential operation. The attack begins simply. According to Diachenko’s analysis, a multi-operator, Russian-speaking cybercriminal group systematically scanned the internet for exposed Fortinet instances, then tested them against historical credential databases harvested by infostealer malware. Most organisations use the same passwords across multiple systems. Many fail to rotate credentials after previous breaches. The attackers exploit exactly that gap.
Where credentials matched, the operators captured SSL VPN authentication hashes and cracked them offline using a 45-GPU cluster orchestrated through Hashtopolis. Password complexity offered no protection. The most sobering takeaway from the dataset is that password complexity offered zero protection. The group did not pick a lock. It simply tried every key it had already collected.
How the Attack Escalates: Active Directory Is the Real Target
The FortiBleed credential breach does not stop at the firewall. Once inside a Fortinet device, the attackers move immediately to the organisation’s core identity infrastructure. In several cases, the threat actors compromised the devices and then went on to access the company’s centralised authentication system. Specifically, that means Microsoft Active Directory and RADIUS servers — the two systems that control identity and access across an entire enterprise network. Furthermore, the breach creates a self-reinforcing cycle. Once attackers gain Active Directory access, they can harvest credentials for every other system connected to that directory. Each compromise feeds the next. The attacks have shifted from exploiting individual CVEs to industrialising the credentials those exposures produced.
The NATO Defence Contractor — Classified Documents Stolen
The most severe confirmed consequence of the FortiBleed credential breach is not corporate. Diachenko’s research confirmed full network compromises at organisations across Japan, Taiwan, Vietnam, Iraq, and Turkey — most critically, including a Turkish NATO defence contractor from which classified defence documents were successfully exfiltrated. That confirmation elevates FortiBleed from a corporate data incident to a national security event. NATO has not issued a public statement as of 18 June.
The victim skew is geographically pointed. The victim list skews heavily toward NATO member countries, which suggests money is not the only motive. By contrast, Fortinet denied that the data represents new attacks. The company characterised the information as “reshared data from previous incidents.” Diachenko and Beaumont both dispute the depiction — Beaumont specifically confirmed the credentials are current and active, not historical.
“Almost All” Compromised Devices Are Online
The FortiBleed credential breach carries an ongoing risk that distinguishes it from historical data leaks. Independent researcher Kevin Beaumont reported that “almost all” of the compromised devices remained online as of Wednesday morning. That detail is critical. A breach affecting only decommissioned or patched systems is a historical problem. A breach affecting devices that are still operational is an active and ongoing one. Every compromised Fortinet firewall that is online with unchanged credentials is an open door.
As TF covered in its Mythos Project Glasswing expansion article, the 150 organisations receiving access to Anthropic’s most advanced security AI were selected specifically because a successful attack on their systems would affect over 100 million people. FortiBleed demonstrates exactly why that programme exists. The same critical infrastructure operators who need Mythos-level vulnerability scanning are the organisations whose Fortinet VPN credentials are in a 45-GPU Russian cracking cluster.
The Fortinet Track Record — FortiBleed Is Not Isolated
The FortiBleed credential breach is within a documented pattern of Fortinet-related security incidents across 2026. 5 February 2026: Fortinet suffered CVE-2026-24858, a CVSS 9.4 FortiCloud SSO bypass — the fourth authentication-bypass flaw in eight weeks. 22 February 2026: a single actor used off-the-shelf AI tooling to breach 600-plus FortiGate firewalls across 55 countries in five weeks. 27 May 2026: attackers weaponised the patch cycle itself, delivering the EKZ infostealer disguised as a Fortinet update. 17 June 2026: FortiBleed — 73,932 firewalls’ credentials surface in a single dataset.
The progression is clear. Individual CVEs became credential harvesting. Credential harvesting became industrial-scale cracking. Industrial-scale cracking became a classified NATO document theft. The through-line is unmistakable: the attacks have shifted from exploiting individual CVEs to industrialising the credentials those exposures produced.
What Affected Organisations Must Do
The required response to the FortiBleed credential breach is unglamorous but non-negotiable. Security researchers at Hudson Rock, SOCRadar, and Arctic Wolf all published matching guidance on 17 June. Rotate every Fortinet administrator and VPN password immediately. Enforce multi-factor authentication on all Fortinet management interfaces. Review access logs for authentication events that should not exist. Restrict internet-facing management ports to known IP ranges. Update FortiOS firmware to the current release. Treat the network perimeter as already compromised until verified otherwise. By contrast, the most common failure that FortiBleed exploits is passive — organisations that skipped password resets after earlier Fortinet incidents are already on the attackers’ verified credential list.
TF Summary: What’s Next
Fortinet has issued a brief statement to financial regulators but no detailed public technical response. Affected organisations — most of which have not publicly acknowledged the breach — face immediate decisions about credential rotation and Active Directory remediation. NATO and the Turkish defence ministry have not commented on the classified document exfiltration. Diachenko and Beaumont continue publishing technical details as they confirm additional information.
MY FORECAST: The FortiBleed credential breach will produce a wave of delayed public disclosures from affected organisations over the next 30 to 60 days — as security teams complete forensic assessments of what the attackers actually accessed. By contrast, the most consequential outcome will not be the corporate disclosures. It will be the NATO intelligence damage assessment. Classified defence documents exfiltrated from a Turkish NATO contractor by a Russian-speaking group, during a period of active US-European tension over AI sovereignty, carry geopolitical weight that no corporate breach can match. The Cybersecurity and Infrastructure Security Agency (CISA) will issue an emergency directive requiring immediate Fortinet credential rotation across all US government systems — likely within 72 hours of the article’s publication. And the Fortinet pattern of 2026 — four separate authentication failures feeding a single credential harvest — is the case study that security architects cite for the next decade when arguing against password-dependent perimeter security.