| Stage | Result |
| masscan internet-wide scan | 59.3M hosts scanned |
| FortiGate fingerprinting | ~437,000 FortiGate devices identified |
| SSH + web-panel brute force | 856M + 2.1B credential combinations attempted |
| Compromised appliances | 26,211 unique FortiGate IPs breached |
| Passive traffic capture (diagnose sniffer via SSH) | 7,505 corporate networks sniffed |
| 21 protocol parsers | 105M+ credentials harvested |
| 10× RTX 4090 GPU cracking | Plaintext passwords recovered, ranked by company revenue |
| Secondary access (MSSQL / RD Web / Synology) | Exfiltration — incl. a NATO-aligned defense contractor |
Jun 17, 2026
5 Mins Read
SOCRadar Launches Free FortiBleed Exposure Checker and Publishes the Most Extensive Dataset on the Fortinet Credential Leak
The team that first analyzed the FortiBleed leak now opens its research to the public, having already alerted thousands of customers and national CERTs — and invites every government cybersecurity agency to coordinate on the data.
SOCRadar, the global extended threat intelligence company, today announced the public release of its free FortiBleed Exposure Checker, a tool that lets any organization instantly verify whether its IP Addresses or Domains appear in the FortiBleed dataset — one of the largest known collections of compromised Fortinet credentials.
SOCRadar was among the first to identify and analyze the FortiBleed leak. Over the past 24 hours the company’s Threat Research team has reconstructed the full attack chain behind the campaign, validated the exposed records, and proactively notified thousands of affected customers as well as the local and national CERTs it works with. With those stakeholders already informed, SOCRadar is now making its analysis available to everyone.
A Leak of Unprecedented Scale
The FortiBleed dataset spans tens of thousands of internet-facing Fortinet/FortiGate firewalls across nearly every industry and region. Independent researchers have confirmed portions of the data are authentic, and by some estimates it covers roughly half of all internet-accessible Fortinet firewalls. SOCRadar’s reconstruction of the operation shows the sheer scale of what the attackers built:
“The numbers tell the story. The operators scanned 59.3 million hosts, fingerprinted around 437,000 FortiGate devices, and threw more than 850 million SSH and over 2 billion web-panel login attempts at them. That funneled down to 26,211 fully compromised firewalls, passive traffic capture across 7,505 corporate networks, and more than 105 million harvested credentials — then a 10× RTX 4090 cracking rig turned the strongest of those into plaintext passwords, neatly ranked by company revenue,” said Ensar Seker, CISO at SOCRadar.
“This is not a routine credential dump. It is an industrialized harvesting operation that ended in real exfiltration, including from a NATO-aligned defense contractor. That is exactly why we are putting the most complete view of this incident into defenders’ hands.”
Accuracy Over Alarm
SOCRadar deliberately took the time to build an accurate tool rather than rushing raw data into the public domain. A domain appearing in the dataset does not automatically mean that organization has been breached. The records reflect exposed or harvested credentials and configuration artifacts of varying age and validity, and some entries may be stale, duplicated, or tied to assets that have since been remediated. Treating every listed domain as “hacked” would generate false alarms and unnecessary panic. Rather than ambulance-chasing by dumping all available data, SOCRadar invested in validation and context so defenders get a signal they can act on — a clear answer about potential exposure, paired with the steps to confirm and remediate it
Free for Everyone, With the Most Extensive Dataset Available
Unlike narrower lookups, the SOCRadar FortiBleed Exposure Checker is backed by the most extensive dataset assembled around this incident. It is publicly available and free to use — no signup required. Organizations can learn whether their Fortinet assets appear in the exposed data and request full data access upon verification of their corporate email.
An Open Call to Government Cybersecurity Agencies
SOCRadar is also offering to coordinate directly with national CERTs and government cybersecurity agencies worldwide to share its full country-level dataset and analysis so they can notify affected organizations within their jurisdictions.
“An incident of this magnitude is bigger than any single vendor or customer. We need to work together as a community,” added Ensar Seker. “If you represent a CERT or a national cyber authority, reach out and we will share everything relevant to your country.”
CERTs and government cybersecurity agencies can contact the SOCRadar team at [email protected] to receive the complete dataset for their country.
Recommended Actions for Affected Organizations
Organizations that find themselves in the dataset should immediately rotate all credentials tied to Fortinet VPN and administrative interfaces, enforce multi-factor authentication, remove FortiGate management interfaces from direct internet exposure, and review gateway and authentication logs for suspicious activity.
How to Check Your Exposure
Visit the SOCRadar FortiBleed Exposure Checker at https://socradar.io/free-tools/fortibleed and enter your IP address block or Domain to see whether your organization is affected.
Table Of Content
SOCRadar Launches Free FortiBleed Exposure Checker and Publishes the Most Extensive Dataset on the Fortinet Credential Leak
A Leak of Unprecedented Scale
Accuracy Over Alarm
Free for Everyone, With the Most Extensive Dataset Available
An Open Call to Government Cybersecurity Agencies
Recommended Actions for Affected Organizations
How to Check Your Exposure
Related Articles
