Skip to main content
Home/Blog/Your Firewall Is Watching You — And So Are the Hackers. The FortiBleed Story Every Business Leader Needs to Read.
Cybersecurity

Your Firewall Is Watching You — And So Are the Hackers. The FortiBleed Story Every Business Leader Needs to Read.

A credential-theft campaign called FortiBleed compromised 430,000+ firewalls and harvested 110 million passwords. Now ransomware gangs are using those credentials. Here's what business leaders need to do.

July 3, 2026·7 min read

Most business leaders think of a firewall as the thing that protects them from hackers. What the FortiBleed campaign just proved is that your firewall can also be the thing that gets you hacked.

Here's what happened — and why it matters for your business, regardless of whether you're running Fortinet hardware.

What FortiBleed Is

FortiBleed is the name researchers gave to a massive, months-long credential-harvesting campaign that targeted internet-facing FortiGate firewalls and VPN gateways worldwide. Since February 2026, attackers — assessed by SOCRadar to be Russian-speaking and financially motivated — systematically scanned, compromised, and installed custom surveillance tools on over 430,000 FortiGate devices across 194 countries.

Let that number sink in: 430,000 firewalls. Devices your IT team installed specifically to keep attackers out.

The attackers didn't exploit a Fortinet zero-day. They didn't need one. They used credential stuffing — trying username and password combinations from previous data breaches — along with password spraying and brute-force attacks against exposed management interfaces and VPN portals. In other words, they got in the old-fashioned way: weak or reused passwords.

Once inside, they deployed a custom tool called FortigateSniffer that passively captured authentication traffic passing through the compromised firewall. It monitored 24 protocols — including Active Directory authentication, database connections, email, remote desktop, and more — and extracted credentials in real time, silently, without triggering alerts.

The result: over 110 million credentials harvested across 659 automated pipelines.

This Week: Ransomware Gangs Are Cashing In

If the scale of FortiBleed wasn't alarming enough, the July 2 intelligence from SOCRadar confirms the next phase has begun.

Researchers linked FortiBleed infrastructure directly to two active ransomware operations: INC Ransom and Lynx. At least 12 confirmed ransomware deployments have already occurred — with hundreds of encrypted endpoints across affected organizations — using credentials stolen through this campaign.

This is the connection that transforms a credential-theft story into a ransomware story. The attackers weren't collecting credentials for sport. They were building a database of working usernames and passwords to sell to ransomware operators, or to deploy themselves.

Small and medium-sized businesses were the primary focus. The campaign showed a heavy concentration on organizations with fewer than 200 employees — precisely the companies least likely to have the monitoring tools to detect a passive sniffer running on their perimeter device.

What This Means for Your Business

Even if your organization doesn't use Fortinet products, the FortiBleed campaign illustrates three risks that apply universally.

Your perimeter security device is also an attack surface. Firewalls, VPN gateways, and network appliances are internet-facing by design. That makes them targets. A device that handles every byte of your inbound and outbound traffic — with administrative access to your network — is an extraordinarily valuable target for an attacker. These devices need patching, monitoring, and hardening just like any other system. Most organizations monitor what's behind the firewall. Few monitor the firewall itself.

Credential reuse is still quietly destroying businesses. FortiBleed succeeded largely because employees and administrators reuse passwords across systems, or choose passwords that appeared in previous breach dumps. When an attacker has a list of 110 million credentials to try, simple credential stuffing becomes devastatingly effective. Multi-factor authentication (MFA) on every remote access point is the single most impactful control you can implement today. If your VPN, firewall management interface, or any other remote access portal accepts a username and password alone, that access point is vulnerable.

The gap between compromise and ransomware is shrinking. The FortiBleed timeline shows attackers operating patiently — building credential databases over months — then selling or deploying that access for ransomware. This is the industrialization of cybercrime. The initial access brokers, credential harvesters, and ransomware operators are increasingly operating as an ecosystem. A compromise of your perimeter device in February may not become a ransomware event until July. That delay makes detection harder and attribution nearly impossible without sophisticated monitoring.

Three Questions to Ask Your IT Team This Week

You don't need to become a firewall expert to take action on this. Here are three questions worth asking immediately:

First: Is our firewall's management interface exposed to the internet? It shouldn't be. Administrative access to network devices should be restricted to internal management networks or dedicated jump hosts, never reachable directly from the public internet.

Second: Are we running multi-factor authentication on every remote access point — including the VPN, the firewall admin panel, and any remote management interfaces? If the answer is anything other than an unambiguous yes, that's where your security investment needs to go next.

Third: Are we monitoring our perimeter devices for anomalous behavior? Many organizations have robust endpoint detection on laptops and servers but no behavioral monitoring on the network devices sitting at the edge of their environment. An attacker running a passive credential sniffer on your firewall will not generate the same alerts as malware on a workstation — unless you're specifically watching for it.

The Bottom Line

FortiBleed is a reminder that the devices we trust most are often the least scrutinized. An attacker who compromises your firewall doesn't just get past your defenses — they get inside the device that sees everything.

One hundred and ten million stolen credentials. Twelve confirmed ransomware deployments. Businesses in 194 countries exposed.

This isn't a story about a Fortinet vulnerability. It's a story about what happens when internet-facing devices are left with weak credentials, no MFA, and no monitoring — and threat actors have the patience and automation to find them at scale.

If you're not sure whether your perimeter devices are exposed or whether your credential hygiene holds up, TrustPoint Cyber can help you find out before the attackers do. A proactive security assessment costs a fraction of what a ransomware event costs — in dollars, in downtime, and in trust.

Get Protected

Ready to strengthen your security?

TrustPoint Cyber delivers Zero Trust architecture, incident response, managed security, and vCISO services — built for your business.