PwdFortress
account-securityINFO

FortiBleed: 73,932 Fortinet VPN Logins Leaked — What It Means for You (2026)

FortiBleed exposed plaintext VPN credentials for ~73,932 Fortinet FortiGate devices across 194 countries in June 2026. What happened, how attackers built it from infostealer logs, and the password lessons everyone should take from it.

By Eric Gerard · Editor · PwdFortress2 min readPhoto via Pixabay

In mid-June 2026 a credential leak nicknamed FortiBleed put roughly 73,932 Fortinet FortiGate VPN logins — in plaintext — into the open, across 194 countries. It's an enterprise-infrastructure story on the surface, but the way it was assembled is a blunt lesson about everyone's passwords. Here's what happened and what to actually do.

What happened

Security researchers (the discovery is credited to Bob Diachenko) found a dataset containing plaintext usernames, emails and passwords for about 73,932 unique Fortinet FortiGate firewall and SSL-VPN devices, spanning 194 countries and more than 21,000 domains — by some estimates around half of the Fortinet firewalls currently exposed to the internet. The affected organisations reportedly read like a corporate roll-call across major industries. CISA urged affected Fortinet customers to terminate active VPN sessions and reset credentials immediately.

How it was built — recycled, not hacked

This is the important part: the operators didn't crack Fortinet's encryption. According to reporting, they assembled the list from:

  • Prior Fortinet breach dumps — credentials exposed in earlier incidents.
  • Infostealer malware logs — software that silently harvests passwords saved in browsers and VPN clients on infected machines.

They then automatically tested those credentials against every reachable FortiGate device and logged each success. In plain terms: stolen and reused passwords, recycled at industrial scale. No exotic exploit — just the predictable payoff of credential reuse and malware-harvested logins.

A tablet showing a username and password login screen with a padlock icon — FortiBleed is ultimately a story about leaked and reused login credentials.
A tablet showing a username and password login screen with a padlock icon — FortiBleed is ultimately a story about leaked and reused login credentials.

Why this matters even if you've never touched a Fortinet box

Because FortiBleed wasn't really about Fortinet — it was about reused and stolen passwords. The same infostealer logs that fed this list routinely contain logins for personal email, banking, gaming and social accounts. The attack worked because credentials get reused across systems and quietly harvested by malware. That risk is universal.

What to do

The defence is the same at every scale:

  • Stop reusing passwords. Every account should have a long, unique password so one leak can't open the others. A password manager makes this realistic instead of impossible to remember.
  • Turn on two-factor authentication. With 2FA (an authenticator app or hardware key, ideally — not SMS), a stolen password alone won't get an attacker in.
  • Starve the infostealers. Keep your OS and browser updated, avoid pirated software and shady downloads, and don't keep sensitive passwords in plaintext files or unprotected browser stores.
  • If you run FortiGate, follow CISA's advice now: end active sessions, reset device credentials, and rotate any of those passwords reused elsewhere.

The takeaway

FortiBleed is one of the largest, most public demonstrations of a boring truth: most "hacks" are just reused and stolen passwords being tried somewhere new. You can't control a vendor's breach, but you can make your own credentials worthless to recycle — unique passwords, 2FA, and an infostealer-resistant setup. That's the whole game.

★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform

Lock down your accounts → NordPassStrong unique passwords · breach scanner · free tier
Related articles

Read next