HACKERS COMPILE DATABASE OF MORE THAN 30,000 WORKING FORTINET LOGINS IN GLOBAL CYBERESPIONAGE CAMPAIGN

WASHINGTON — Cybersecurity researchers are warning of a large-scale credential harvesting operation targeting Fortinet firewalls and VPN gateways after discovering a database containing more than 30,000 verified login credentials belonging to organizations across nearly every region of the world.

According to researchers at cybersecurity firm SOCRadar, the database contains working usernames and passwords associated with 30,791 Fortinet devices spanning 194 countries. The exposed credentials reportedly belong to organizations operating in sectors including government, telecommunications, banking, healthcare, higher education, energy, and large multinational enterprises.

Researchers have dubbed the campaign “FortiBleed” and describe it as an ongoing operation that appears designed to provide threat actors with persistent access to internet-facing Fortinet infrastructure.

The discovery highlights growing concerns surrounding credential-based attacks, which have increasingly become one of the most effective methods cybercriminals use to infiltrate corporate networks, government systems, and critical infrastructure.

According to SOCRadar’s analysis, the database contains credentials associated with 21,108 unique IP addresses and 8,316 unique domains. Researchers stated they reconstructed the attack chain, validated the exposed records, and began notifying affected organizations as well as national and regional Computer Emergency Response Teams (CERTs).

Unlike many cyber incidents involving stolen credentials offered for sale on dark web marketplaces, researchers said this database appears to be actively operational rather than simply archived. Investigators believe threat actors are continuously testing the collected usernames and passwords against exposed Fortinet devices worldwide using automated scanning tools.

Once access is obtained, attackers can allegedly monitor network traffic, collect additional credentials, identify connected systems, and harvest new login information. Those newly acquired credentials are then added back into the attack infrastructure, creating a self-sustaining cycle of compromise. Researchers described the process as an expanding ecosystem in which one successful intrusion can potentially lead to multiple additional compromises.

Fortinet products are among the most widely deployed network security platforms in the world. Their firewalls, VPN gateways, and security appliances are used by organizations to control network access, secure remote connections, and protect sensitive internal systems. Because these devices often sit at the perimeter of enterprise networks, a successful compromise can provide attackers with a valuable foothold inside an organization’s infrastructure.

The report indicates that the United States ranks among the most heavily affected countries, second only to India. Mexico ranked third. Combined, organizations located in the United States and India reportedly account for approximately one-third of all entries contained within the database.

Researchers also noted that more than 20 percent of affected organizations generate annual revenues exceeding $1 billion, suggesting the campaign is not limited to small businesses or poorly secured networks. The telecommunications sector appears to be among the most heavily targeted industries, with researchers identifying approximately 5,616 telecom-related entries within the dataset. Government agencies also appeared prominently, with 591 entries associated with 111 separate government domains.

Many of these sectors are considered high-value intelligence targets due to the sensitive information they possess and their role in supporting critical infrastructure. Based on victim selection patterns, infrastructure, and operational characteristics, researchers believe the campaign may be linked to Russian-speaking threat actors. SOCRadar stated that a significant number of affected organizations are located within NATO member nations, raising concerns that intelligence collection objectives could be operating alongside potential financial motivations.

Cybersecurity researchers cautioned that attribution remains difficult and that definitive attribution often requires access to intelligence beyond what is publicly available.

Benjamin Harris, CEO of cybersecurity firm watchTowr, stated that the credentials were likely accumulated over time through exploitation of vulnerabilities affecting internet-facing Fortinet systems. Rather than relying on a single breach, investigators believe the database may represent years of credential harvesting derived from multiple incidents, vulnerabilities, and previous compromises.

Researchers say one of the most concerning aspects of the operation is that many organizations may have patched the original vulnerabilities years ago while failing to rotate exposed passwords. As a result, attackers may still retain access even after vulnerable systems have been updated. The report also suggests that many of the compromised credentials involve generic administrative accounts and built-in Fortinet system accounts commonly used to manage enterprise security appliances.

This finding supports the theory that the database was assembled from credentials exposed during previous Fortinet-related security incidents rather than from a single large breach. The campaign follows a series of significant Fortinet security events over recent years. Cybersecurity firms have repeatedly warned that threat actors often maintain long-term access to compromised systems by creating persistence mechanisms, harvesting credentials, and returning months or even years after the original vulnerability has been patched.

Researchers have also documented multiple instances where attackers exploited Fortinet vulnerabilities within days of public disclosure, targeting organizations that had not yet implemented security updates. SOCRadar characterized the threat as critical and urged organizations using Fortinet products to take immediate action.

Researchers recommended:

• Immediately changing all Fortinet administrative passwords
• Resetting VPN credentials
• Enabling multi-factor authentication (MFA)
• Reviewing login histories for suspicious activity
• Restricting administrative interfaces from public internet access
• Auditing privileged accounts
• Monitoring network traffic for signs of compromise

The company also released a free exposure checker allowing organizations to determine whether their domains or IP addresses appear within the FortiBleed dataset.

Cybersecurity experts note that credential theft remains one of the most persistent threats facing organizations today. While software vulnerabilities can often be patched relatively quickly, stolen credentials may continue providing attackers with access for months or years if passwords are not changed and additional security controls are not implemented.

The investigation remains ongoing as researchers continue notifying affected organizations and analyzing the full scope of the campaign.

TRJ VERDICT

The discovery of more than 30,000 verified Fortinet credentials is not just another cybersecurity incident—it is a reminder of how fragile the modern digital perimeter has become. Organizations around the world spend billions of dollars on firewalls, VPN gateways, threat detection systems, and security software, yet this campaign demonstrates how attackers can continue gaining access long after a vulnerability has been patched simply because exposed credentials were never changed.

What makes the FortiBleed campaign particularly concerning is its self-sustaining nature. Compromised systems are reportedly used to harvest additional credentials, creating a cycle capable of expanding far beyond the original breach. The affected organizations include governments, telecommunications providers, healthcare networks, energy companies, financial institutions, and other sectors that form critical components of modern society.

TRJ has repeatedly warned that cybersecurity is not solely a technology problem. It is also a process, training, and accountability problem. Patching software may close a vulnerability, but it does not eliminate the risk posed by stolen usernames, passwords, and administrative credentials that remain active long after an incident is believed to be resolved.

The larger lesson is that many organizations continue to focus on the breach itself while overlooking what happens afterward. Threat actors understand that access obtained today may remain useful months or even years into the future. As networks become increasingly interconnected and dependent on digital infrastructure, credential theft may prove just as valuable to attackers as the exploitation of software vulnerabilities themselves.

In today’s threat environment, the most dangerous compromise may not be the one discovered immediately. It may be the silent access that remains hidden long after an organization believes the threat has been eliminated.

🔥 NOW AVAILABLE! 🔥

‎👉 Eclipsera – Apple Music

Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE