Scale of the Campaign
Security researchers first identified the FortiBleed dataset in mid-June 2026, when analyst Volodymyr “Bob” Diachenko reported that verified administrator and SSL VPN credentials for approximately 73,932 FortiGate firewall URLs across 194 countries had surfaced in criminal underground communities. SOCRadar later confirmed 86,644 credentials were harvested through widespread brute-force and credential-stuffing attacks. Recorded Future attributed the campaign to a Russian-speaking threat group, though there is currently no direct evidence of Russian state involvement. mezha.net recordedfuture.com arcticwolf.com sofx.com
The National Cyber Security Centre issued an urgent alert instructing organizations to audit networks, isolate compromised devices, and factory-reset affected hardware. The U.S. Cybersecurity and Infrastructure Security Agency similarly urged hardening of Fortinet devices following reports of global credential exposure. infosecurity-magazine.com cisa.gov telegraph.co.uk
Broader Threat Landscape
The breach comes weeks after GCHQ Director Anne Keast-Butler delivered a rare public warning in late May that Russia is “relentlessly targeting critical infrastructure, democratic processes, supply chains and public trust” through intensifying hybrid operations against the UK and Europe. Keast-Butler described a “narrowing window” for Britain and its allies to stay ahead of threats from state and proxy cyber actors. cnn.com nytimes.com reuters.com
Cybersecurity firms have urged affected organizations to immediately rotate all FortiGate administrative and VPN credentials, enforce multi-factor authentication, and restrict internet exposure for management interfaces. The NCSC advised organizations to assume exposed credentials are compromised and to hunt for signs of downstream infiltration within their networks. bitsight.com arcticwolf.com infosecurity-magazine.com