FortiBleed is a dataset of 73,932 compromised Fortinet FortiGate firewalls spread across 21,613 organisations in 207 countries, with cracked administrator credentials circulating in the wild. On its own that is a large exposure. Cross-referenced against two independent datasets, it becomes something more useful: a measurable early warning. In a random sample of exposed organisations, 88% also appeared in stealer-log or breach data and 38% had employees with active infostealer infections. Around 590 have already been named on ransomware leak sites, among them Toyota, Foxconn, Accenture, Siemens, and Fortinet itself.
What FortiBleed is
FortiBleed is the credential exposure we documented in our earlier FortiBleed investigation: tens of thousands of FortiGate devices whose administrator credentials were harvested and cracked, then circulated. The dataset was surfaced in collaboration with researcher Bob Diachenko and the team at Alerts.bar.
Each record carries a domain, an industry tag, a revenue band, an employee band, a device count, and the countries those devices sit in. It carries no passwords, no usernames, and no IP addresses, and neither does anything we publish from it. Every figure below is an aggregate count.
How we measured it
Three passes, three sources. For geography and sector we aggregated the full table of 21,613 organisations. For credential exposure we drew a random sample of 120 exposed domains and queried each against the Alerts.bar exposure index, which tracks stealer-log credentials, session cookies, and breach records. For the ransomware overlap we matched FortiBleed organisation names against the full ransomlook leak-site corpus, 31,512 victim posts spanning 2021 to 2026.
Two caveats up front, because the numbers are only as good as their method. The credential figures come from a sample of 120, so treat them as roughly accurate to within nine percentage points, not to the decimal. The ransomware figure is a name-level match, so a small share are coincidental name collisions. We hand-reviewed the top of that list, and the major brands named here are confirmed matches.
Finding 1: exposed firewalls sit next to live infostealer infections
Of the 120 sampled organisations, 88% also showed up in Alerts.bar’s stealer-log or breach data. More pointedly, 38% had staff credentials sitting in infostealer logs right now, and 40% had live session cookies circulating. Among the organisations with infected staff, the median was five compromised employee accounts, and the worst single case ran to 633.
This is the compound-risk point, and it is the reason the cross-reference matters more than either dataset alone. An exposed FortiGate is one way into a network. Already-circulating employee logins and stolen session cookies are a second, completely independent way in. When two unrelated datasets keep naming the same organisations, that is not noise, it is corroboration. The firewall is the unlocked door; the infostealer logs are a copy of the keys.
Finding 2: many of these organisations are already on ransomware leak sites
Around 590 FortiBleed-exposed organisations share a name with a victim already posted on a ransomware leak site. The confirmed roll-call reads like an index of global industry: Toyota, Foxconn, Accenture, Siemens, Deutsche Telekom, Oracle, Fujitsu, Medtronic, Broadcom, Munich Re, Ingram Micro, Airtel, Singtel, Etisalat, DaVita, Rite Aid, ArcelorMittal, Thales, Iberdrola, and Apollo Hospitals. The groups behind those listings span Clop, LockBit, Akira, Medusa, Qilin, and RansomHub. Fortinet itself appears, courtesy of an older leak of FortiGate access.
Correlation is not proof that a FortiGate was the entry point in any one of these cases, and we are careful not to claim it. But exposed edge devices are a documented ransomware entry vector, and the direction of travel is hard to miss: exposure first, extortion later. For defenders, an organisation that appears in both datasets is not a hypothetical. It is a target that attackers have already found twice.
Finding 3: the exposure map points at the Global South
The raw volume leaders are India (9,612 devices across 2,736 organisations) and the United States (6,326 devices), followed by Taiwan, Mexico, Turkey, Thailand, and Colombia. But the US tail is mostly tiny deployments of two or three devices each. The real concentration is in Latin America and the Caribbean, where Chile, the Dominican Republic, Colombia, and Puerto Rico run ten or eleven exposed devices per organisation. That density is the signature of large telecom carriers, and it is exactly the part of the map that gets the least coverage in Western security press.
Finding 4: telecom carries the load, small business is the long tail
By sector, IT Services is the broadest blast radius at 1,975 organisations, but telecommunications is the heaviest: 574 organisations holding 10,437 devices, roughly fourteen percent of everything from under three percent of the orgs. Financial services, government services, and healthcare each contribute several hundred organisations, which is what turns this from a curiosity into a regulator-and-press story. 788 of the exposed organisations carry billion-dollar revenue tags.
The shape of the exposure is a steep power law. Around 63% of exposed organisations have a single device on the list, while a handful of carriers and integrators carry hundreds each, topping out at 1,213 devices for one Latin American telecom. Most victims are small. The risk is concentrated at the top.
Explore the data
// FORTIBLEED · GLOBAL EXPOSURE MAP
Where the exposed firewalls are
Aggregated across the entire FortiBleed dataset. Hover the map, or search every country and industry below. Device counts only, no credentials.
Countries
| # | Country | Devices | Orgs |
|---|---|---|---|
| Loading… | |||
Industries
| # | Industry | Orgs | Devices |
|---|---|---|---|
| Loading… | |||
What to do about it
If your organisation runs FortiGate, treat every internet-facing device as suspect until proven otherwise. Rotate every administrator and local credential. Audit logs for unexpected admin logins, new accounts, and configuration changes. Upgrade FortiOS, then have administrators sign back in to trigger the stronger credential-storage path. Take the management interface off the public internet, and enforce phishing-resistant MFA. Because the infostealer overlap is so high, also reset exposed employee credentials and kill active sessions, not just the firewall accounts.
You can check any domain against the FortiBleed dataset, with a global exposure heatmap and searchable country and industry breakdowns, using our free tool. It is domain-level only and shows no passwords or IP addresses.
FAQ
What is FortiBleed?
FortiBleed is a dataset of 73,932 compromised Fortinet FortiGate firewalls across 21,613 organisations in 207 countries, whose administrator credentials were harvested and cracked. Ransomnews holds device-level metadata only, no passwords, usernames, or IP addresses.
Does being in FortiBleed mean my organisation will be hit by ransomware?
No. It means an exposed device with cracked credentials existed for your domain. It is a risk indicator, not a verdict. The concern is that 38% of sampled exposed organisations also had active infostealer infections, and around 590 already appear on ransomware leak sites.
How did you measure the stealer-log overlap?
We drew a random sample of 120 exposed domains and queried each against the Alerts.bar exposure index. The figures are accurate to within roughly nine percentage points, given the sample size.
Which countries are most affected?
India leads on raw volume, followed by the United States, Taiwan, Mexico, Turkey, Thailand, and Colombia. On a per-organisation basis the densest exposure is in Latin American and Caribbean telecoms.
How do I check my own exposure?
Use the free FortiBleed Checker. Enter your domain for a device-level result, plus the global exposure map and country and industry statistics. No passwords or IP addresses are ever shown.
What should I do if my domain is listed?
Rotate all FortiGate and local credentials, upgrade FortiOS, take the management interface off the public internet, enforce MFA, and reset exposed employee credentials and active sessions flagged in stealer-log monitoring.
Sources
FortiBleed dataset, Ransomnews, surfaced in collaboration with Bob Diachenko and Alerts.bar. Credential, cookie, and breach figures via the Alerts.bar exposure index. Ransomware victim corpus via ransomlook.io (2021 to 2026). Device, country, and industry aggregates computed by the Ransomnews Research Team from the FortiBleed dataset.