FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign, active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke

The article describes "FortiBleed," a financially motivated, Russian-speaking initial access broker campaign that has targeted more than 430,000 FortiGate firewalls since February 2026 to harvest roughly 110 million credentials. According to public reporting on earlier Fortinet exploitation patterns, attackers routinely abuse FortiGate/FortiOS authentication and configuration weaknesses to exfiltrate credentials, system configuration, and device data at scale, which can then be used for further network compromise and resale on criminal markets.[1][2] From a CyberSE.AI perspective, this represents a large-scale data leakage and initial-access risk: any AI agents, models, or automation pipelines integrated with these networks may be exposed if compromised firewalls are used as a pivot. Organizations should treat firewall- and SSO-related credentials as potentially compromised, enforce rapid credential rotation and MFA, and conduct an AI Security Readiness Assessment plus targeted AI Agent Business Logic Audit and ongoing red teaming to ensure AI-driven workflows cannot be trivially reached or abused via these harvested credentials.