Just recently, it has been found that there is a very large data breach involving Fortinet and FortiGate firewall logins. Named FortiBleed, this dataset contains 73,932 firewalls from around the world, with login information such as usernames, emails, and even plaintext passwords originally used by these devices.

Large organizations like Foxconn, Samsung, Comcast, and Toyota feature on this list. Even industry sector, turnover, and number of employees were recorded just for future use.

Attack Strategy and Credential Harvesting

FortiBleed exploitation had a strong degree of automation. The attackers ran a systematic scan of internet-facing FortiGate appliances and backed up their configurations. Attackers tried to perform about 1.16 billion logins to FortiGates and 2.1 billion logins to Microsoft SQL Servers in the course of the campaign.

During the same period, the attackers harvested SSL/VPN authentication hashes from the Fortigate connections and performed offline brute-forcing of the hashes using a cluster of 45 GPUs dedicated to the task. Each successful login was recorded, and the valid admin credentials were stored in the repository.

Several important attack components can be identified here:

• Brute-forcing at scale: about 1.16 billion logins to FortiGates and 2.1 billion logins to SQL servers.
• Hash capturing: authentication hashes from the FortiGate SSL/VPN were harvested and bruteforced using a 45-GPU cluster.
• Credentials repository: the attackers created a repository with thousands of legitimate admin credentials.
• Network penetration: the attackers used stolen credentials to access internal networks and Active Directory environments.

All of these successful logins suggest that each of the found credentials was checked and validated by the attackers before adding them to the password list.

Global Impact and Affected Industries

According to reports, the leak contains 73,932 distinct firewall URLs from 21,632 distinct domains, spanning 194 countries. Based on these numbers, around half of all FortiGate firewalls that are accessible via the internet have been included in this attack. The victims represent industries across the globe, with telecoms, information technology services being the worst affected. They are followed by finance, government, healthcare, education and manufacturing sectors. To illustrate, close to 2,000 firms working in IT have been identified as victims.

There are several highly reputable organizations and agencies mentioned in the list of leaked entries such as Foxconn, Samsung, Comcast, Siemens, Lenovo, PWC, Accenture, and Oracle. In addition, various government agencies and utilities have also been targeted by the hackers. What is most interesting is the identification of a Turkish military contractor of NATO alliance with FortiGate fully compromised. The inclusion of these entities proves that there are FortiGate firewalls in every industry and any exposure may result in an attack.

Colombia, Malaysia, Chile and UAE also had thousands of devices compromised by the hackers.

Complex Passwords in Plaintext

What is particularly interesting about this incident is the fact that among the credentials that have been compromised there were many extremely complicated and long 12 to 20+ characters password with different symbols included. Despite their complexity, the passwords also fell victim of the attackers’ attacks and got decrypted into plaintext form. As one can see, regardless of whether any additional measures were taken to increase the security of passwords, none of them helped to avoid this leak.

In order to understand what caused this breach, it is necessary to consider the way in which FortiOS stores admin passwords. Old versions of FortiOS used salted SHA-256 password hashing algorithm, while new versions rely on more secure PBKDF2 hash. However, when upgrading, the previous version of the password hash persists until the user logs in again. It was not until this time when the older version was decrypted.

Conclusion: When Firewall Credentials Become the Breach

FortiBleed proves that privileged infrastructure risk does not always begin with malware. It can begin with an exposed VPN surface, a vulnerable firewall posture, and credentials that attackers can validate, store, and reuse. More than 73,000 FortiGate firewalls were linked to leaked VPN and administrator credentials, showing how edge infrastructure can become the first step in broader compromise.

That is the real lesson. A firewall is not only a security control. If exposed or misconfigured, it can become the attacker’s entry point.

Why This Threat Matters

FortiGate firewalls sit close to VPN access, administrator control, internal routing, and identity infrastructure. Once attackers obtain valid credentials, the risk moves beyond the firewall itself.

• Valid VPN credentials can open the path into internal networks
• Administrator access can expose sensitive firewall configurations
• Credential reuse can extend the breach into cloud, SaaS, and Active Directory environments
• Internet-facing management surfaces expand the attacker’s target list
• Weak configuration and delayed patching can turn edge devices into long-term access points
• Stolen access can later become tool execution, lateral movement, and data theft

Once attackers hold validated firewall credentials, the problem becomes bigger than password rotation. It becomes an exposure problem, an identity problem, and a control problem.

Where Xcitium Changes the Outcome

FortiBleed requires layered defense because the risk begins at exposed infrastructure, moves into identity abuse, and can finally become endpoint execution.

Xcitium Vulnerability Assessment is the primary control for this scenario. It helps organizations identify exposed firewall and VPN surfaces, vulnerable services, risky configurations, and patch gaps before attackers turn internet-facing infrastructure into credential exposure.

Xcitium ITDR strengthens the next layer when stolen VPN or administrator credentials are reused against internal systems, privileged accounts, cloud services, or Active Directory environments.

And if attackers use that access to launch tools, scripts, payloads, or lateral movement activity on endpoints, Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, applies Execution Governance.

Unknown code does not receive unrestricted execution rights.
Code can run without being able to cause damage.
Runtime behavior is governed before trust exists.
Security teams gain proof of what unknown execution could not do.

This is the correct sequence of control.
Expose the risk.
Detect identity abuse.
Govern execution before access becomes damage.

Rotate Credentials. Then Prove Control.

FortiBleed shows that credential leaks can turn perimeter devices into enterprise entry points. Organizations must rotate FortiGate and administrator passwords, enforce MFA, audit SSL/VPN access, review FortiOS versions, and remove unnecessary internet exposure immediately.

But remediation cannot stop at password changes.

Find exposed infrastructure.
Secure privileged access.
Govern unknown execution before stolen credentials become operational impact.

Choose Xcitium Vulnerability Assessment to expose the risk.
Choose Xcitium ITDR to strengthen identity control.
Choose Xcitium Advanced EDR to enforce Execution Governance when attackers try to turn access into damage.