There's a special kind of dread reserved for the security headline that pairs a cute nickname with a five-figure body count. "FortiBleed" delivers both, and the number attached to it is not the kind you want to meet before your morning coffee.

86,644 Firewalls, One Very Bad Week

CISA has issued an urgent advisory warning organizations to lock down their Fortinet FortiGate devices after the discovery of a sweeping credential-exposure campaign dubbed FortiBleed. As of June 19, 2026, the operation had produced a verified database of 86,644 confirmed working credentials harvested from internet-facing Fortinet gear across 194 countries.

The method is grimly methodical: attackers systematically extracted configuration files from exposed FortiGate appliances and cracked the stored credential hashes, yielding working administrator logins. Generic admin accounts made up about 35% of the haul, with built-in Fortinet system accounts adding another 28.3% — together, the bulk of everything stolen.

The Firewall Is the Front Door Now

The irony writes itself: the device you bought to keep intruders out became the thing that handed them the keys. When your security appliance is internet-facing and its config gets lifted, the attacker doesn't need to pick the lock — they just read the password off the back of the door. The blast radius is global and indiscriminate, hitting both government and private-sector organizations across all 194 countries, with researchers flagging the campaign as active and ongoing.

CISA's guidance is the digital equivalent of re-keying every lock in the building: terminate all SSL VPN and admin sessions, reset every VPN and administrative password, switch on phishing-resistant multifactor authentication, and comb the logs for signs of lateral movement. If you run FortiGate and you're reading this over coffee, the coffee can wait.

Naming your breach is all fun and games right up until it's your credentials in the 86,644.

Source: The Hacker News