FortiBleed Campaign Exposes Fortinet Credentials, including UK Government Accounts

Saheed Aremu  - Security Expert
Last updated: July 6, 2026
Share
FortiBleed Campaign Exposes Fortinet Credentials, including UK Government Accounts
  • A major cyberattack exposed login credentials of thousands of Fortinet firewalls and VPNs, including some belonging to UK government bodies.
  • The campaign tagged "FortiBleed" doesn’t exploit a new software flaw but rather uses old methods such as credential stuffing, brute-force attack, and recycling passwords.
  • The most worrying thing about these stolen credentials is that they will probably form a foundation for bigger attacks like ransomware, network intrusions, and data theft.

A global cyberattack campaign that targets Fortinet security products has compromised login credentials associated with UK government personnel and some critical services. This campaign is now fuelling concerns regarding the vulnerability of infrastructure as well as the risk of ransomware attacks.

Security researchers believe that this FortiBleed campaign is among the biggest credential theft operations targeting Fortinet firewalls. Instead of identifying a new software vulnerability, the attackers use stolen passwords, recycle old passwords, and make automated login attempts.

UK government and council accounts exposed

Reports, first published by The Telegraph, have revealed that credentials belonging to UK government staff have appeared on criminal marketplaces. Some of this stolen access reportedly sells for as much as $60,000.

The compromised accounts include IT staff working at British embassies in Thailand and Mauritius. Employees of Derbyshire and Waltham Forest councils are also among the victims of this attack.

According to the reports, the leaked data include email IDs and the corresponding passwords. If these login credentials are still valid, hackers will be able to access internal systems without having to employ any other hacking technique.

Moreover, security experts have warned that valid login credentials have more value for criminals than stolen files as it lets them login like normal users without setting off security alarms.

The campaign extends far beyond government

The attack is not just a problem for government agencies. The exposed credentials also involve healthcare providers, energy companies, pharmaceutical suppliers, and other operators of critical infrastructure around the world.

Dr. Saif Abed, a cybersecurity expert and former NHS doctor, warned that compromised access to healthcare suppliers could be a starting point for ransomware attacks. Such attacks can directly disrupt patient care.

His warning comes two years after a major ransomware attack on the pathology provider Synnovis. That incident led to the cancellation of thousands of NHS appointments and operations across London.

No new software vulnerability to patch

Despite the scale of the incident, researchers and government agencies stress this is not the result of a new flaw in Fortinet products. The cyber criminals used various known attack methods, including credential stuffing, brute force password attack, and passwords stolen from previous data breaches. These events are often the result of having weak passwords and failing to use two-factor authentication.

The importance of strong password practices is also highlighted by phishing campaigns targeting Facebook users, where hackers try to steal login credentials through deceptive schemes.

The first person to alert the public about the FortiBleed attack was Volodymyr “Bob” Diachenko, who is a security expert, after he discovered the exposed server. This server held what looked like valid Fortinet administrator and VPN credentials.

The database included over 80,000 exposed Fortinet appliances worldwide. Estimates suggest that the wider campaign scanned over 430,000 devices to find their targets.

UK and global authorities issue urgent alerts

The UK’s National Cyber Security Centre (NCSC) has confirmed ongoing brute-force attacks targeting Fortinet systems. They have issued an urgent warning to organizations using these devices.

The agency recommends that organizations reset passwords right away. They also recommend checking for login attempts, isolating affected systems, and monitoring networks for any suspicious activity.

Other national cyber security agencies have issued a similar warning as well. This includes authorities in Singapore, the Netherlands, and the US’s CISA, as the campaign continues to affect organizations worldwide.

The attack infrastructure and parts of the malicious code reportedly contain Russian-language elements. Another threat actor using the online alias “SantaAd” is also advertising the credentials for sale.

However, UK officials have not directly attributed the campaign to the Russian government. However, according to the NCSC, there are no signs of government involvement at the moment.

Nevertheless, UK intelligence officers have continuously stressed the fact that hacker gangs based in Russia usually enjoy an enabling environment.  These groups can launch attacks as long as they avoid targeting Russian interests.

Newer threat intelligence suggests the stolen Fortinet credentials may already be feeding into ransomware operations. Researchers at SOCRadar recently linked the FortiBleed infrastructure to the INC and Lynx ransomware groups.

Further, the warning indicates that credential theft could just be a prelude to future attacks. The lesson for companies is that even without exploiting any software vulnerabilities, password weaknesses would be sufficient for cybercriminals to access their systems. 

Share this article

About the Author

Saheed Aremu

Saheed Aremu

Security Expert

Saheed Aremu passionately advocates for digital privacy and cybersecurity in the modern digital age. As one of PrivacySavvy's resident VPN experts, he guides readers on protecting their online information and anonymity. Saheed earned his degree in Technology and Ethics from the University of Lagos in Nigeria. Since then, he has dedicated his career to writing extensively about crucial infosec, data privacy, and cybersecurity topics. When he's not empowering PrivacySavvy's readers to take control of their online security, Saheed enjoys distance running, playing chess, and exploring the latest open-source software advancements.

More from Saheed Aremu

Comments

No comments.