All the news coverage surrounding FortiBleed play up the tens of thousands of Fortinet firewall and VPN credentials allegedly exposed in a massive credential harvesting campaign. Reports indicate that attackers accumulated valid credentials for roughly 74,000 FortiGate systems across nearly 200 countries, making it one of the largest credential exposure stories of 2026.
That's a big deal, for sure. But according to security researcher and consultant Jennifer Jabbusch, the industry's focus on the firewall itself misses the bigger story.
Jabbusch has written an extensive analysis of the incident, making the case that FortiBleed should not be viewed primarily as a Fortinet problem or even a firewall compromise story.
Instead, it is an identity and lateral movement story.
The exposed FortiGate devices were simply the first step. Once attackers obtained access, the objective became reaching internal systems, harvesting additional credentials, and moving deeper into enterprise environments.
Read Jennifer's full analysis here:
View all posts
That distinction changes how defenders should think about risk. If organizations view FortiBleed as another vendor-specific incident requiring password resets, they may overlook the broader possibility that valid credentials have already been used to establish persistence elsewhere in the network, Jabbusch wrote.
Fortinet has maintained that the exposed data appears to be a combination of credentials gathered from previous incidents and large-scale brute-force activity rather than evidence of a new vulnerability or breach. The company has emphasized password rotation, MFA deployment and adherence to existing security guidance.
Even if Fortinet's assessment is correct, the operational impact for defenders remains significant.
Sophos Findings Reinforce The Identity Threat
Research published by Sophos provides additional evidence supporting Jabbusch's central argument.
According to Sophos incident response investigators, attackers were not merely collecting VPN credentials. They were actively abusing exposed Fortinet access to move into victim environments and establish broader control. Sophos documented activity involving credential exports, VPN abuse, and follow-on attacks that extended well beyond the firewall itself. Sophos MDR reported confirmed malicious activity as early as June 2 and observed attackers leveraging compromised access for deeper network operations.
Full Sophos analysis here:
That aligns with multiple independent investigations describing campaigns that targeted not only VPN credentials but also Active Directory environments and internal authentication systems. Researchers have reported threat actors cracking authentication hashes, pivoting into directory services, and establishing long-term persistence after obtaining initial access.
Jabbusch highlights this overlooked aspect of the story. The real danger is not that a firewall password may have leaked. It's that attackers are using those credentials to reach LDAP, Kerberos, NTLM, Active Directory, file services, and other internal infrastructure components that ultimately control enterprise identity and access.
In that sense, FortiBleed resembles a growing class of attacks where identity becomes the primary attack surface. Credentials, not exploits, are increasingly providing the path to compromise.
What Security Teams Should Be Doing Now
The FortiBleed story arrives at a time when identity-driven attacks are already dominating incident response investigations.
Sophos' 2026 Active Adversary Report found that compromised credentials, brute-force attacks, phishing, and other identity-related techniques now account for a substantial share of successful intrusions. In many cases, attackers do not need a sophisticated zero-day exploit when valid credentials can accomplish the same objective with far less effort.
That is why the most important lessons from FortiBleed extend beyond Fortinet customers.
Organizations should certainly rotate exposed credentials, enable MFA wherever possible, audit VPN access logs, and verify that internet-facing FortiGate systems are fully updated. Those are table stakes.
The larger challenge is determining whether attackers moved beyond the perimeter. Security teams should review authentication logs, investigate unusual directory-service activity, monitor privileged accounts, and hunt for signs of persistence in Active Directory and related identity infrastructure. If a compromised VPN account was used weeks or months ago, the firewall may no longer be where the attacker resides.
That is the point Jabbusch believes many observers are missing. FortiBleed is not primarily a story about leaked passwords. It is a reminder that modern attacks increasingly treat identity as the true perimeter. The firewall may have been the doorway, but the attackers were always interested in what was behind it.
