Russian hackers steal UK government logins in massive FortiBleed breach

Russian-linked hackers have stolen login credentials from British government officials and Foreign Office staff stationed overseas in what researchers are calling one of the largest Fortinet security incidents to date, according to a report by The Telegraph published on July 5. telegraph.co.uk

The attack, dubbed “FortiBleed” by cybersecurity researchers, compromised more than 80,000 Fortinet firewalls, exposing email addresses and passwords that are now being sold on dark web forums for as much as $60,000. Breached accounts include those belonging to IT staff at British embassies in Thailand and Mauritius, local council employees in Derbyshire and Waltham Forest, and login details for NHS systems, energy suppliers, and medicine distributors. sofx.com azernews.az telegraph.co.uk

Scale of the Campaign

Security researchers first identified the FortiBleed dataset in mid-June 2026, when analyst Volodymyr “Bob” Diachenko reported that verified administrator and SSL VPN credentials for approximately 73,932 FortiGate firewall URLs across 194 countries had surfaced in criminal underground communities. SOCRadar later confirmed 86,644 credentials were harvested through widespread brute-force and credential-stuffing attacks. Recorded Future attributed the campaign to a Russian-speaking threat group, though there is currently no direct evidence of Russian state involvement. mezha.net recordedfuture.com arcticwolf.com sofx.com

The National Cyber Security Centre issued an urgent alert instructing organizations to audit networks, isolate compromised devices, and factory-reset affected hardware. The U.S. Cybersecurity and Infrastructure Security Agency similarly urged hardening of Fortinet devices following reports of global credential exposure. infosecurity-magazine.com cisa.gov telegraph.co.uk

Broader Threat Landscape

The breach comes weeks after GCHQ Director Anne Keast-Butler delivered a rare public warning in late May that Russia is “relentlessly targeting critical infrastructure, democratic processes, supply chains and public trust” through intensifying hybrid operations against the UK and Europe. Keast-Butler described a “narrowing window” for Britain and its allies to stay ahead of threats from state and proxy cyber actors. cnn.com nytimes.com reuters.com

Cybersecurity firms have urged affected organizations to immediately rotate all FortiGate administrative and VPN credentials, enforce multi-factor authentication, and restrict internet exposure for management interfaces. The NCSC advised organizations to assume exposed credentials are compromised and to hunt for signs of downstream infiltration within their networks. bitsight.com arcticwolf.com infosecurity-magazine.com