73,932 FortiGate firewall URLs have their admin and SSL VPN credentials sitting in a public dataset, and researchers confirm those credentials actually work. Volodymyr "Bob" Diachenko reported the FortiBleed dataset on June 13, 2026. Kevin Beaumont and Hudson Rock validated portions of it - sampled administrative credentials are authentic, and many affected devices remain online with management interfaces exposed.
The FortiBleed Dataset
This isn't a random dump of old passwords. The dataset covers 194 countries and more than 21,600 domains. Affected organizations span government, telecommunications, financial services, healthcare, manufacturing, and critical infrastructure. One confirmed target is a Turkish NATO defense contractor from which threat actors allegedly exfiltrated classified documents. Attribution points to a Russian-speaking group.
Hudson Rock released a free lookup tool for organizations to check exposure. Recorded Future's Insikt Group independently linked the IP 85.11.187.8 to the campaign, observing HTTP activity on port 9999 on June 7, 2026, and subsequent SSH, VNC, RDP activity from June 14-15. Artifacts included a sniffer log for Fortinet credential capture (fg_capture.log), Hashcat/Hashtopolis orchestration files, AD enumeration scripts, and log-clearing markers.
How the Attack Worked
Threat actors conducted roughly 1.16 billion credential attempts against 320,777 FortiGate targets and another 2.1 billion attempts against 163,650 Microsoft SQL Server systems. They intercepted SSL VPN authentication hashes and used a 45-GPU cluster managed through Hashtopolis to crack them offline. No ongoing access to the devices was needed - the dataset likely came from exported FortiGate configuration files.
This offline cracking methodology means organizations have no logs of the initial credential theft. The campaign is one of the largest confirmed FortiGate credential exposures on record. And with a Russian-speaking group behind it, espionage objectives are likely alongside opportunistic access.
What Organizations Need to Do Now
Rotate all FortiGate admin and SSL VPN credentials immediately. Enforce multi-factor authentication on every remote and administrative access path. Review Fortinet logs for unusual logins, admin sessions, config changes, and new accounts. Consider replacing devices that show suspicious activity. Restrict or remove internet exposure for management interfaces. Patch FortiOS and review hardening settings. Hunt for downstream compromise inside the network if exposed credentials were in use.
Recorded Future customers with affected domains will receive automated credential alerts as sources are ingested. The full Analyst Note and FortiBleed Intelligence Card are available in the Recorded Future Portal.
If your org runs Fortinet and you haven't rotated credentials today, you're betting your network on someone else's failure to act.
Source: FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems
Domain: recordedfuture.com
Comments load interactively on the live page.