Security researchers have identified a large-scale credential harvesting campaign dubbed “FortiBleed,” which exposed authentication data associated with approximately 73,900 Fortinet and FortiGate firewall and VPN devices worldwide. The leaked dataset reportedly contains usernames, email addresses, and plaintext passwords linked to organizations across multiple sectors, including telecommunications, manufacturing, technology, government, and critical infrastructure. Researchers identified credentials associated with numerous high-profile organizations, underscoring the broad scope of the exposure.

Investigations, supported by Fortinet, indicate that the campaign was not the result of a newly discovered vulnerability affecting the company’s products. Instead, threat actors appear to have aggregated credentials obtained through previous data breaches, infostealer malware infections, credential dumps, and large-scale password-spraying activity. Researchers believe attackers systematically targeted internet-facing Fortinet appliances, using previously compromised credentials to gain access and harvest additional authentication data.

The campaign highlights the continued effectiveness of valid account abuse as an initial access vector. Compromise of perimeter devices such as VPN gateways and firewalls can provide attackers with a foothold into enterprise networks, enabling credential theft, traffic monitoring, persistence, and lateral movement. Regardless of the source of the exposed credentials, the scale of the incident underscores the risks associated with credential reuse and weak identity controls. Organizations are advised to rotate credentials, enforce multi-factor authentication, restrict management interfaces from direct internet exposure, and continuously monitor for unauthorized access involving legitimate accounts.