IN June 2026, researcher Volodymyr Diachenko discovered that a live server exposed valid credentials for over 73,000 Fortinet firewalls, revealing a large-scale access-brokering operation known as FortiBleed. This leak provided login credentials for devices belonging to over 21,600 organizations across 194 countries, accounting for about half of all internet-facing FortiGates. The breach was linked to a vendor named "SantaAd" on a Russian-speaking cybercrime forum.
The broker organized credentials into an annotated spreadsheet that included company names, sectors, revenues, and employee counts, indicating a financially motivated operation likely aimed at reselling access to ransomware groups. The access-brokering operation utilized a combination of brute-force attacks and AI-driven tools, highlighting significant risks for organizations.
To mitigate these risks, it is advised to restrict device management interfaces from public access, enforce multi-factor authentication, and regularly rotate credentials.