Crime Gang Sells Access to 74,000 Fortinet Firewall Devices
Data Breach TodayArchived Jun 18, 2026✓ Full text saved
Ongoing Campaign May Be Grabbing Legacy Passwords From Fortinet FortiGate Devices Cybercriminals are selling access to 75,000 Fortinet FortiGate devices with VPN and web management interfaces, and the admin credentials appear to be legitimate and recently harvested as part of a still-live campaign, security experts warned.
Full text archived locally
✦ AI Summary· Claude Sonnet
Cybercrime , Fraud Management & Cybercrime , Network Firewalls, Network Access Control
Crime Gang Sells Access to 74,000 Fortinet Firewall Devices
Ongoing Campaign May Be Grabbing Legacy Passwords From Fortinet FortiGate Devices
Mathew J. Schwartz (euroinfosec) • June 18, 2026
Credit Eligible
Get Permission
Image: Shutterstock/Fortinet/ISMG
Cybercriminals are selling access to nearly 75,000 Fortinet firewall devices, and the admin credentials appear to be legitimate and recently harvested, security experts warn.
See Also: Top 10 Technical Predictions for 2025
Evidence of this campaign first came to light publicly thanks to veteran cybersecurity researcher Volodymyr Diachenko, who flagged it Friday in a LinkedIn post, based on his review of worldwide network scan and cyberattack sensor data gathered by Hunt Intelligence.
As part of the campaign, attackers "processed 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 MSSQL servers," Diachenko said in a Monday update. Victims appeared to include "a Turkish NATO defense contractor whose classified defense documents were exfiltrated," and thousands of other organizations, including AT&T, Chevron, Mercedes-Benz and Fortinet itself.
"This is a Russian-speaking multi-operator group conducting large-scale credential harvesting against Fortinet FortiGate SSL VPN appliances worldwide. They intercept SSL VPN authentication, crack hashes on a 45-GPU cluster managed via Hashtopolis, and pivot into internal Active Directory environments," he said. Hashtopolis is an open-source platform designed to distribute Hashcat password-cracking tasks across multiple computers.
Threat-intelligence firm Hudson Rock, which tracks information-stealing malware campaigns, said it obtained and reviewed a copy of the dataset and found it contains credentials tied to 74,000 firewall URLs across 194 countries, affecting 21,453 different domains.
Credentials in the dataset tie to Fortinet devices used by Accenture, Comcast, Foxconn, Lenovo, Oracle, PwC, Samsung, Siemens, "and thousands of others, ranging from critical infrastructure to government entities," said Alon Gal, the firm's CTO.
Threat intelligence firm SOCRadar said the credential-stealing targeting FortiGate devices with VPN and web management interfaces remains live. "The attacker's infrastructure is running and new victims continue to be added. This is not a historical breach - it is an ongoing campaign," it said.
Of the government victims in the dataset, the firm said "India accounts for over 60%," while "Ukraine, Poland and Taiwan alongside other NATO-adjacent states" are also well-represented.
Fortinet didn't immediately respond to a request for comment.
British cybersecurity expert Kevin Beaumont in a Wednesday post to social network Mastodon said that with help from Hudson Rock, he reviewed the dataset being offered for sale. "I've verified the data is real. They've been dumping the Fortinet config - not sure how yet - and then cracking the passwords, it appears. Data is being resold online."
In a follow-on blog post, he said the dataset appears to be comprised of recently harvested credentials, accounts for half of all Fortinet firewall devices currently being counted by the internet of things search engine Shodan, and that most of the affected Fortinet devices remain internet-connected.
This wouldn't be the first mass attack involving stolen Fortinet device configuration files. In January 2025, a cybercrime outfit calling itself Belsen Group leaked configuration data and passwords for over 15,000 Fortinet devices.
While it's unclear exactly how config files are being obtained for these latest attacks, Beaumont said attackers appear to be using them to take advantage of organizations that failed to log into their devices after updating the firmware over the past year.
Here's why: In December 2025, Fortinet announced that with FortiOS v7.2.11, 7.4.8 and 7.6.1, for hashing stored firewall administrator credentials, it was ditching legacy SHA256 in favor of Password-Based Key Derivation Function 2.
Fortinet warned: "When first upgrading from an earlier version, administrator passwords are still stored as SHA256 hashes until the matching administrator logs in successfully."
The vendor also said that "for backwards compatibility, by default, the previous SHA256 hashes remain stored" in a hidden setting that won't be visible to admins, unless they have super_admin status. To fully remove the old passwords, it said admins will have to "enable the 'login-lockout-upon-weaker-encryption' setting in system password-policy."
Given those caveats, security firm Arctic Wolf said "many organizations likely continue to store administrator credentials using older SHA-256 with Salt hashing mechanisms," perhaps without realizing. As a result, stealing the config files would have enabled an attacker to brute-force recover passwords hashed using the legacy approach.
To help organizations identify if they've fallen victim to what's being dubbed "FortiBleed," Hudson Rock created a free portal anyone can use to test if a domain is part of the compromised dataset. "Upon confirmation, you can reach out through the tool to receive a full ethical disclosure regarding your specific exposure," Gal said.
To guard against any stolen Fortinet passwords ever being used against them, Hudson Rock said organizations will ideally never directly expose their FortiOS Management Interface to the public internet, and always require multifactor authentication for administrator accounts.
Any organization listed in the dataset has been targeted or is likely to be targeted, and it should immediately rotate credentials and look for signs of suspicious admin activity, which could have resulted in backdoors being installed on their device, security experts said.
"If evidence of compromise exists, isolate the device from the internet and your internal network," and for British organizations, ideally report it to authorities and an incident response provider, said the U.K. National Cyber Security Center on Thursday.
Organizations with credentials in the data dump should "assume compromise," not least because the dataset appears to not be a raw dump, but carefully curated, Beaumont said.
"It is unclear where Hunt Intelligence obtained the data from and how long it has been in circulation, however it is formatted in a way which looks like an eCrime gang - e.g. it lists the type of company, their revenue and country. This is a very common format in eCrime circles when selling initial access information," he said.