A database of around 75,000 credentials stolen from FortiGate firewall and SSL VPN customers was discovered last week, and it contains usernames, email addresses and plaintext passwords for organisations including Oracle, Spotify, Toyota and AT&T.
Scale and scope of the exposure
Security researchers say the dataset, dubbed “FortiBleed,” reaches far beyond a handful of targets. Hudson Rock — a firm specialised in infostealer malware — reported that the exposed logins affect customers in 194 countries and are linked to more than 21,000 unique domains. It is understood that credentials on around half of all internet‑accessible Fortinet firewalls may have been exposed.
Hudson Rock also quantified the campaign’s operational footprint: the attackers executed an estimated 1.16 billion credential attempts against over 320,000 FortiGate targets, alongside an additional 2.1 billion brute‑force attempts directed at over 160,000 MSSQL servers. Reports suggest many organisations have already suffered full network compromise as a result.
How the attackers appear to have operated
Investigators have not yet established a single confirmed entry vector. The source material says it is unclear whether attackers exploited legacy vulnerabilities in the products or a previously unknown zero day. What is clear from forensic accounts is the sequence the actors followed: researchers say the intruders first stole configuration data and then brute‑forced the passwords contained within.
The NCSC cited “brute‑force, dictionary and credential stuffing attempts” as part of the campaign. That pattern — configuration theft followed by large‑scale automated login attempts — helps explain both the size of the credential dataset and the widespread targeting Hudson Rock observed.
NCSC guidance for Fortinet customers
The UK’s National Cyber Security Centre (NCSC) has issued concrete steps for organisations that find themselves in the leaked dataset. The centre urged customers to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools to determine whether their devices have been affected, and then to search for indicators of compromise (IoCs) such as unauthorized account creation or unexpected activity in log files.
- Isolate compromised devices from the internet and internal networks.
- Report the incident to the government and consider using an assured incident response provider.
- Obtain logs, configs and other artefacts from the device then factory reset it.
- Investigate other edge devices that share credentials with the compromised device.
- Investigate devices reachable by the compromised device and monitor firewall logs for suspicious activity to ensure no onward compromise has occurred.
- Harden the re‑commissioned system: ensure it is on the latest version, use strong, unique admin passwords and multi‑factor authentication (MFA), and do not expose the admin interface to the internet. Users should also enable PBKDF2 for the admin interface.
Impacted organisations and signs of compromise
The leaked dataset contains plaintext passwords and identifies a range of affected organisations; the source names Oracle, Spotify, Toyota and AT&T among those appearing in the collection. The formatting of the leak has also drawn comment: cybersecurity researcher Kevin Beaumont said the leaked information “is formatted in a way which looks like an eCrime gang – e.g. it lists the type of company, their revenue and country.”
Because many reported compromises have led to full network takeover, any organisation appearing in the database should treat the exposure as high risk and follow the NCSC’s remediation steps and IoC checks without delay.
What this means for security teams, affected enterprises, and policymakers
Security teams: Operational defenders must assume credential exposure translates quickly into lateral movement and privilege escalation. The NCSC’s checklist — isolate, collect artefacts, reset, harden and monitor — maps directly to triage priorities for teams responding to a FortiBleed hit.
Affected enterprises and procurement leaders: Organisations named in the dataset will need to reconcile the leak with their incident‑response and supplier‑risk processes, including whether other edge devices share credentials and whether assured incident response help is required.
Policymakers and government responders: The NCSC’s public guidance and its recommendation to report incidents to government channels underscore that this campaign is being treated as a national‑scale cyber incident with cross‑border impact across nearly 200 countries.
The facts on hand show a large, automated campaign that combined stolen configurations with mass brute‑force activity and left a searchable trove of plaintext credentials. The technique produced a breadth of exposure that security teams must now contain and harden against. The unanswered technical question that remains in the reporting is how the initial configuration theft was achieved — legacy flaws or a novel zero day — a detail that will determine longer‑term fixes. For now, the immediate imperative from the NCSC is plain: check, isolate, reset, and harden.
