A large credential dataset dubbed FortiBleed has exposed working administrator and VPN logins for tens of thousands of internet-facing Fortinet FortiGate firewalls worldwide.
The data was discovered by security researcher Volodymyr “Bob” Diachenko, who found an attacker’s server left open online, complete with the group’s tooling, logs, and credential database.
Threat intelligence firm Hudson Rock analyzed the haul, counting 73,932 affected firewall URLs across 194 countries and more than 21,000 corporate domains.
Independent researcher Kevin Beaumont verified that the logins were real and current, and estimated from network-scan data that the dataset covers roughly half of all Fortinet firewalls currently exposed to the internet.
Why Strong Passwords Didn’t Help
The most striking finding is that password complexity made little difference. According to Hudson Rock, a significant number of the compromised credentials were long and complex, yet appeared in the data in plaintext because they had been lifted from earlier breaches and infostealer malware logs, rather than cracked.
Yagub Rahimov, CEO of AI security firm Polygraf AI, told Expert Insights this reframes how defenders should think about credentials.
A “complex password that’s passed through an infostealer protects you as much as ‘password123,'” he said, arguing that the industry has long treated credential strength as the barrier between an attacker and the network.
“We need to care as much about exposure as we do about… credential strength,” he added.
A Condition, Not an Event
Rahimov also argued the deeper problem is how organizations respond to leaks.
“Organizations treat a breach as an event to clean up after, not a condition to design around,” he said, with the result that credentials get rotated once and then drift back into exposure.
He described FortiBleed as what that drift looks like across an entire vendor’s install base, and warned that as long as leaks are treated as discrete incidents, the credentials that slip through become the seed of the next dataset.
Fortinet has disputed the framing, saying in a PSIRT statement that the data is likely a reshare of material from previous incidents combined with brute-forcing, and is not a new vulnerability or tied to any recent advisory.
Beaumont, who verified the credentials are active, argued that the distinction matters little to an organisation whose keys still work.
With no patch to apply, CISA has urged affected customers to reset all Fortinet VPN and administrative passwords, enforce MFA, restrict management interfaces to trusted networks, and confirm credentials are stored using the stronger PBKDF2 algorithm.
