FortiBleed Credential Exposure Affecting FortiGate and SSL VPN Accounts

Attackers exposed a **FortiBleed** dataset containing around **75,000 stolen credentials** tied to **FortiGate firewall and SSL VPN** customers. The records include usernames, email addresses, and plaintext passwords, creating immediate account-takeover and follow-on access risk for affected organizations. Available reporting associates the exposed logins with customers in **194 countries** and **over 21,000 unique domains**, indicating broad international reach. Named organizations in the exposed data include Oracle, Spotify, Toyota, and AT&T, but the full victim list and the rate of successful misuse are not publicly confirmed. The initial intrusion path into Fortinet environments remains unconfirmed in available material, with discussion ranging from older product weaknesses to a possible zero-day. The described attack flow indicates that configuration data was stolen first and that the passwords in the dataset were then available for brute-force or credential-reuse activity against internet-facing systems. The UK **NCSC** has advised potentially affected customers to use **FortiBleed** exposure-checking tools and to review for indicators such as unauthorized account creation and unexpected log activity. Immediate defensive work centers on identifying exposed accounts, rotating credentials, reviewing administrative changes, and checking remote-access infrastructure for signs of secondary compromise. Available evidence does not yet establish the exact root cause, the total number of compromised organizations, or how many exposed credentials have already been used successfully.