This article is a follow-up to the Ars Technica article Massive breach spills credentials for thousands of sensitive networks. It gives a clearer explanation of what occurred, whether there is an actual software vulnerability that can be patched, and what recommended actions to take if you operate a FortiGate firewall.
A major credential breach known as FortiBleed has exposed login credentials for roughly 74,000 Fortinet firewall and VPN devices across 194 countries. Organizations named in the dataset include household names across virtually every industry sector. If your business uses a Fortinet firewall or SSL VPN, this warrants your immediate attention.
Here’s a clear breakdown of what happened, why it worked, and what steps FortiGate users should take now.

What Actually Happened in FortiBleed
The first thing worth clarifying is that this was not a software vulnerability. There is no patch that would have prevented it, and Fortinet did not have a zero-day exploited against them. What happened was something arguably harder to defend against: an industrial-scale credential operation years in the making.
Attackers compiled enormous databases of usernames and passwords from years of prior data breaches and infostealer malware campaigns. Infostealer malware is cheap, commodity software that silently harvests saved passwords from browsers and VPN clients on infected machines. It has been feeding criminal markets with fresh credentials for years. The attackers aggregated all of this into one massive working dataset.
They then systematically scanned the internet for every exposed Fortinet device they could find and began testing those known credentials against them at scale, with over 1.16 billion login attempts across more than 320,000 devices. Where credentials matched, they captured the authentication hashes transmitted during SSL VPN sessions and took them offline to crack.
That last part is critical. Once a hash is captured offline, there are no lockouts, no alerts, and no rate limits. The attackers cracked passwords in their own infrastructure, invisibly and at their leisure, reportedly using a dedicated 45-GPU cluster running 24/7. The victims had no idea it was happening.
The result was a curated, verified database of working credentials, organized by country, industry, and company revenue, ready to use for intrusions.
Why Fortinet Devices Were Targeted
The attackers did not just get lucky. There is a technical reason Fortinet devices were a productive target.
Older versions of FortiOS stored administrator passwords using SHA-256 hashing. SHA-256 is a fast algorithm, which is excellent for many use cases, but it is a poor choice for password storage precisely because it is fast. A modern GPU can test billions of SHA-256 hashes per second, which makes offline cracking very practical.
Newer versions of FortiOS have addressed this by switching to slower hashing algorithms, such as PBKDF2, which are specifically designed to be computationally expensive. A slow hash might allow only a few thousand guesses per second rather than billions, turning a crackable problem into one that would take centuries.
Here’s the catch: even organizations running the latest FortiOS were not necessarily safe. If administrator passwords were never reset after the firmware upgrade, the old SHA-256 hashes were still stored on the device in a legacy field, invisible to administrators but readable from a configuration backup. Updating the software without rotating the credentials was not enough.
Is FortiBleed a Fortinet Firewall Vulnerability?
FortiBleed may be discussed as a Fortinet firewall vulnerability, but the distinction matters. Based on the available reporting, this was not a standard software flaw that could be fixed by applying one patch. It was a credential-based issue involving exposed Fortinet firewall credentials, SSL VPN access, captured hashes, and offline password cracking.
That means simply checking whether FortiOS is up to date is not enough. If a FortiGate firewall or SSL VPN account used credentials that were exposed, reused, or stored under older hashing behavior, those credentials need to be treated as potentially compromised.
For FortiGate firewall users, the practical response is credential rotation, MFA verification, account review, and management-access hardening.
Does This FortiGate Breach Affect You?
If your organization uses Fortinet FortiGate firewalls or SSL VPN, you should treat your credentials as potentially compromised until you have taken the steps below. This is true even if you believe your passwords are strong. Strong passwords are irrelevant if the hash was captured and cracked.
If you do not use Fortinet products, this specific FortiGate breach does not directly affect you. That said, the attack pattern, including credential stuffing, infostealer-harvested passwords, and offline hash cracking, is not unique to Fortinet and will be reused against other platforms.
What FortiGate Users Should Do Right Now
The following steps should be treated as urgent, not optional. Work through them in order.
1. Update FortiOS to the Latest Version First
Ensure your FortiGate firmware is fully up to date before changing credentials. Updating the OS migrates password hashing to the stronger algorithm, but only for accounts whose passwords are reset after the update. This is why the order matters.
2. Reset All FortiGate Administrator Credentials After Updating
Every local admin account on the firewall should have its password changed. Enable MFA on all admin accounts and verify that each administrator has actually completed MFA enrollment.
Simply enabling MFA in settings is not enough. If a user has not enrolled, an attacker could enroll on their behalf on first login.
3. Address SSL VPN Immediately
If SSL VPN is not actively in use, disable it. If it is in use, immediately reset passwords for every SSL VPN user account and enforce MFA. Confirm enrollment, not just the setting, as mentioned above.
4. Audit Local User Accounts
Review all local accounts on the device. Remove any that are unused, stale, or no longer needed. For any remaining active accounts, reset passwords and verify MFA enrollment.
5. Disable WAN-Facing HTTP/HTTPS Management Access
The firewall’s management interface should not be reachable from the public internet. Restricting management to internal networks or trusted IPs removes a major attack surface.
This does not prevent management through cloud portals. It specifically closes off direct internet exposure of the admin panel.
6. Reset Your Fortinet Cloud Account Passwords
Rotate credentials for any associated Fortinet cloud management accounts as well. It takes a few minutes and removes one more avenue of potential access.
Why FortiBleed Matters for FortiGate Firewall Security
FortiBleed is a useful reminder that perimeter security is only as strong as the credentials protecting it. In a world saturated with infostealer-harvested data and years of accumulated breach databases, credential hygiene is no longer optional.
The durable defenses are straightforward: keep management interfaces off the public internet, enforce MFA everywhere, rotate credentials on a regular schedule, and keep firmware current. None of these are exotic. All of them would have meaningfully reduced exposure here.
If you have questions about whether your environment is affected or need help working through these steps, reach out. This is exactly the kind of situation where getting it right quickly matters.
Information in this article is based on public reporting as of June 17–18, 2026. Specific technical details may evolve as investigations continue.
Update: 18 June 2026
This article was originally written on 17 June 2026. However, on 18 June, CISA also picked up this subject and laid out its own “as-is” recommended handlings.
Some are very similar to our handlings laid out above, but a couple are broader in IT scope. Neither list is written with one very specific scenario in mind, so the steps are trying to encompass any and all possible FortiGate scenarios. We recommend reviewing both lists of recommended steps and taking the needed actions based on your environment.







