Home Real-life Cyberattacks Cases
In June 2026, security researchers uncovered one of the largest credential-compromise events ever documented against network perimeter devices. A large-scale, fully automated operation, later named FortiBleed, had been quietly targeting Fortinet firewalls and VPN gateways, compromising more than 30,000 internet-facing devices across nearly 200 countries.
The campaign was first spotted by independent security consultant Volodymyr Diachenko and analysed in depth by the threat intelligence firm SOCRadar, which discovered an exposed operational server belonging to the attackers. That server handed researchers a rare inside view: the group's tooling, automation scripts and a verified database holding working login credentials for more than 30,791 devices spanning 194 countries.
The most alarming detail is what the campaign did not involve. There was no zero-day, no novel exploit and no software vulnerability. The operation ran on a simple, brutal premise: a curated list of passwords already leaked in earlier Fortinet incidents, fired back at organisations that had never changed them. Many of the compromised accounts were generic administrator logins, default or built-in system accounts, or long-lived credentials that had never been rotated after a previous breach.
What made FortiBleed so effective was its self-sustaining design. Automated tools continuously scanned the internet for exposed Fortinet devices and tested them against the credential list. Each successful login was recorded, and the compromised device was then turned into a listening post, capturing additional credentials flowing through it. Those freshly harvested passwords were fed straight back into the scanner, allowing the operation to compromise ever more devices with no human at the keyboard.
The footprint cut across every critical sector. The verified victims spanned 21,108 unique IP addresses and 8,316 unique domains, reaching organisations in government, telecommunications, healthcare, education, financial services and critical infrastructure. Researchers rated the threat critical and warned that any organisation appearing in the dataset should treat its network perimeter as already compromised.
FortiBleed is a textbook reminder that the perimeter is only as strong as the credentials protecting it. The attackers needed no advanced techniques because the basics had been neglected. The following measures would have closed the door on this campaign and apply to any organisation operating internet-facing security appliances.
Change default and legacy passwords
The entire campaign was built on credentials that were never changed. Default and built-in accounts must be renamed or disabled, and every password rotated, especially any credential that predates a known breach. Password complexity is irrelevant once a credential has already leaked; only rotation removes the exposure.
Enforce Multi-Factor Authentication (MFA) wherever passwords are used
Where passwords remain in use, MFA should be mandatory on every administrative and remote-access account. A second authentication factor neutralises stolen credentials: even a valid, leaked username and password become useless to an attacker who cannot satisfy the additional check.
Rely on passkeys and phishing-resistant authentication where possible
Better still, move beyond passwords altogether. Passkeys and phishing-resistant methods such as FIDO2 or certificate-based authentication eliminate the very asset attackers harvest, because there is no static, reusable secret left to leak, stuff or replay. Adopting them removes an entire class of credential attacks at the source.
Remove management interfaces from the public internet
Administrative and VPN management portals should never be reachable from the open internet. Restricting access to trusted internal addresses, applying local-in policies, and adopting Zero Trust Network Access (ZTNA) dramatically shrink the attack surface. Simply taking the management interface off public exposure removes a large share of the risk on its own.
Validate credentials across your device fleet, we can help
The hardest part of a campaign like FortiBleed is knowing whether your own credentials are already exposed. Devoteam Cyber Trust can help you validate any default credentials still in place, cross-check your organisation against known leaked and compromised credential dumps, and identify your exposed attack surface. We then go further and perform penetration testing against your assets, both externally and internally, to confirm what an attacker could actually reach and exploit before they do.
This episode is less a Fortinet story than a demonstration of a repeatable pattern that will recur across other vendors and platforms: an internet-exposed management interface, credentials already circulating in criminal markets, weak or legacy password handling, and absent MFA. Each weakness is exploitable on its own; together they make an attack effortless. Closing any one of these links breaks the chain, and addressing all four makes your organisation a target attackers cannot afford to pursue.