# Urgent Call to Secure Fortinet Devices After Massive Credential Theft

*Published June 22, 2026*
*Source: [https://www.securityweek.com/fortibleed-86000-fortinet-device-credentials-compromised/](https://www.securityweek.com/fortibleed-86000-fortinet-device-credentials-compromised/)*

## Executive Summary

The FortiBleed credential theft campaign has compromised over 86,000 Fortinet devices globally, prompting CISA to advise urgent security measures. Organizations must act quickly to protect their systems by updating credentials and enhancing security protocols.

## Article

A sweeping credential theft campaign, known as FortiBleed, has compromised over 86,000 Fortinet devices worldwide. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a strong recommendation for organizations to fortify their internet-facing Fortinet devices. This urgent call to action follows a report by SOCRadar, which initially identified around 30,000 compromised devices, a figure that has now grown substantially. The campaign has resulted in a database containing more than 86,644 verified working credentials from 194 countries, all collected from Fortinet's infrastructure exposed to the internet. Hackers have automated the testing of these credentials, and many were likely never updated after past incidents. Security researcher Kevin Beaumont and Hudson Rock have confirmed the validity of these credentials, noting that they represent approximately half of all Fortinet firewall devices currently exposed online. Further investigations by Bob Diachenko reveal that a Russian-speaking threat actor orchestrated this campaign, fully compromising at least four organizations. The attack methods include intercepting SSL VPN authentication and utilizing a 45-GPU cluster to crack hashes before infiltrating internal Active Directory environments. The scale of the attack is vast, with 1.16 billion credential attempts targeting 320,000 FortiGate devices and 2.1 billion brute-force attempts against 160,000 MSSQL servers. This operation has affected thousands of organizations, including critical infrastructure providers and major government entities. Huntress has cross-referenced the affected IP addresses and identified 845 partner organizations impacted by this credential dump. CISA's alert urges Fortinet customers to take immediate action by terminating active sessions, resetting credentials, implementing secure password storage methods, reviewing logs for suspicious activity, enabling phishing-resistant multi-factor authentication, and restricting management access to minimize vulnerability.