Hackers have built an illicit database containing more than 30,000 verified Fortinet logins from companies across 194 countries, new research finds – all part of a massive credential-harvesting operation targeting Fortinet firewalls and VPN gateways to carry out further attacks.

The database is said to contain working usernames and passwords for 30,791 Fortinet devices belonging to banks, hospitals, telecom operators, universities, government agencies, energy companies, and multinational corporations, according to research published Monday by SOCRadar.

Breaking down the more than 30,000 compromised devices, SOCRadar identified 21,108 unique IP addresses and 8,316 unique domains.

SOCRadar on Tuesday said its Threat Research team has reconstructed the full attack chain behind the campaign, validated the exposed records, and proactively notified thousands of affected customers, as well as local and national CERTs.

30,000 verified Fortinet logins exposed

Dubbing the campaign “FortiBleed,” researchers say the hackers are actively testing the compiled credentials using automated tools that continuously scan the internet for exposed Fortinet devices.

Once a successful login is found, the compromised device is then used to monitor the victims’ network traffic and collect additional credentials, creating what researchers describe as a self-sustaining cycle of compromise.

“The freshly collected passwords are fed back into the scanner to compromise even more devices. The system feeds itself,” SOCRadar explains.

What’s more, SOCRadar says the US is among the most heavily targeted countries, only behind India, with Mexico coming in at number three. Together, the US and India account for a third of all database entries, the research shows.

Enterprise organizations with more than $1B in revenue make up over 20% of the entries, it further notes.

“Fortinet firewalls and VPN gateways are among the most widely deployed network security devices in the world. Organizations across every sector rely on them to control access to their networks and protect sensitive infrastructure,” the researchers say.

Telecoms and governments targeted

Based on the tooling, infrastructure, and victim selection, SOCRadar believes perpetrators are most likely Russian-speaking threat actors and that many of the affected organizations happen to be located in NATO member countries.

The researchers say this could point to a geopolitical motive alongside financial gain and the infiltration of critical infrastructure targets, including governments, telecoms, energy firms, hospitals, and universities – sectors often prized for intelligence collection.

While the source of the dataset remains unclear, watchTowr CEO and founder Benjamin Harris says “it’s highly likely the credentials were accumulated over time by exploiting vulnerabilities in externally facing Fortinet applications.”

“The uncomfortable reality is that modern exploitation isn't always about immediate impact,” Harris says. “It's about harvesting data that retains value long after the underlying vulnerability has been patched.”

SOCRadar says telecom companies were among the most targeted sectors with 5,616 entres, followed by government organizations and large enterprises.

In the government sector alone, SOCRadar identified 591 entries across 111 domains.

The report also found exposed Fortinet devices listening on several management and VPN-related ports, suggesting attackers were probing multiple access points rather than relying on a single exposed service.

Database built from previous Fortinet attacks

With the majority of compromised credentials consisting of generic admin accounts and built-in Fortinet system accounts, researchers say the password list is not random but a carefully curated collection of credentials leaked in previous Fortinet incidents.

The threat actors are banking on the assumption, and rightly so, says SOCRadar, that many former breach victims never change their passwords after the fact.

Essentially, even if a company patched a vulnerable Fortinet device years ago, attackers can still get in if exposed passwords were never changed.

Citing separate research that identified more than 73,000 exposed Fortinet VPN credentials, Harris says the campaign reflects a broader pattern of “attackers harvesting credentials and retaining access while the incident fades from view.”

“A vulnerability may exist only for a short time, but stolen credentials can provide access for months or years,” Harris says.

Researchers urge immediate password resets

Rating the campaign as “critical,” SOCRadar says it published its findings to alert defenders to the ongoing campaign, even though the database has not been offered for sale on any hacker forums to date.

SOCRadar also said Tuesday it released a free FortiBleed Exposure Checker, allowing organizations to verify whether their IP addresses or domains appear in the FortiBleed dataset.

The single most important step every organization should take is to immediately “change every password on every Fortinet device your organization operates, including VPN accounts and admin accounts,” the researchers say.

“Do it today. Then enable two-factor authentication, review your login history, and restrict admin access so it cannot be reached from the open internet,” they said.

Unfortunately, the California-based cybersecurity company is no stranger to attacks, with one X user even asking, “Why is Fortinet always getting Fortifucked?” in response to the SOCRadar post.

Why is Fortinet always getting Fortifucked

undefined Chase Owens (@old_f0lk) June 17, 2026

This past December, threat actors took advantage of two critical vulnerabilities affecting Fortinet FortiGate devices, actively exploiting the flaws only days after they were publicly disclosed.

And earlier that spring, researchers found hackers lurking in more than 14,000 Fortinet VPNs, after having gained access by creating malicious files from previously known Fortinet vulnerabilities.

---

Unlock more exclusive Cybernews content on YouTube.