‘The risk to every organization has increased exponentially’: The FortiBleed campaign just took a turn for the worse
Reports suggest that FortiBleed-linked exposed credentials could put UK government and public services at huge risk
Cybersecurity experts have issued an alert amid reports that hackers accessed login credentials belonging to UK government officials and Foreign Office staff.
The credentials, which are reportedly being sold on the dark web, were exposed as part of the ongoing FortiBleed attack campaign.
FortiBleed targets internet-facing Fortinet VPN and firewalls, and is believed to have affected more than 70,000 devices spanning 194 countries since it was first uncovered last month.
Analysis from SOCRadar, for example, identified a vast database containing login credentials. The threat intelligence firm has since attributed FortiBleed to the Lynx/INC ransomware group.
While this database was believed to have been limited to basic usernames and passwords, reports from The Telegraph suggest some exposed details include privileged Fortinet credentials.
Volodymyr Diachenko, a security researcher who first uncovered the threat campaign, told the publication these credentials could give bad actors access to the Foreign Office’s “core networks” along with other government departments.
Some Foreign Office credentials are now being sold on the dark web, according to reports, going for up to £40,000.
Arctic Wolf CISO Adam Marrè warned that the incident could create a domino effect, impacting other government departments and also local authorities and public services.
According to The Telegraph, credentials at NHS trusts, energy companies, and local councils were also hosted in the illicit database.
“This major breach of email accounts of UK government officials and overseas Foreign Office workers is the latest development in the ongoing FortiBleed attack,” he said.
“While it may be tempting to think this is a simple credential-stuffing operation, our threat team found the threat actors have built a highly sophisticated and repeatable credential factory,” he said.
Marrè noted that analysis of the incident conducted by Arctic Wolf shows threat actors appear to have been using automated tools to harvest logins and target gateways at “exponential speed and volume”.
“This means while today it’s the Foreign Office which has been affected, the risk to every organization has increased exponentially.”
Back and forth on FortiBleed
The discovery of the FortiBleed sparked somewhat of a back and forth between Fortinet and security researchers last month. After threat intelligence firm Hudson Rock published a blog detailing the campaign, Fortinet disputed some of its claims.
Fortinet told ITPro at the time that the exposed credentials weren’t the result of a fresh breach, insisting that those following best practices were safe from exposure.
"Fortinet is aware of a reported third-party credential-harvesting campaign targeting Fortinet firewalls and VPN gateways. We are committed to safeguarding our customers, and we diligently and continuously monitor threat actor darknet activity,” a spokesperson for the company said.
“Based on our initial analysis, the data involved is likely a resharing of data from previous incidents, as well as brute forcing of credentials, and not related to any current incident or advisory."
Hudson Rock, meanwhile, said the campaign went “beyond simply credential reuse,” highlighting that hundreds of organizations are thought to have been affected.
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
The hidden cost of AI support: Why MSPs still struggle with escalation and repeated diagnosisIndustry Insights Why MSP service desks still struggle despite growing investments in AI automation
-
Workday expands EMEA VAR ecosystem with HR Path UK&I partnershipNews The partnership will see HR Path directly sell Workday solutions to SMBs across Scotland and Ireland
-
US offers $10m bounty for info on Russia-linked hackers behind Signal and WhatsApp attacksNews UNC5792 and UNC4221 have been targeting government officials through their Signal and WhatsApp accounts
-
Duo accused of role in TfL cyber attack plead guilty after ‘lengthy, highly complex, and painstaking investigation’News Around 10 million people are believed to have been affected by the TfL cyber attack
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
Russian hackers are weaponizing CRMs, Ukraine’s former foreign minister warnsNews Dr Dmytro Kuleba told IT leaders in London that everyday business software is being actively exploited by nation-states
-
Hackers are turning up at law firms to gain physical access to machinesNews The FBI is warning companies to look out for fake IT staff
-
A ‘perfect storm’: NCSC chief issues warning over quantum threats, nation-state hackers, and the dangers of global ‘hacktivism’News NCSC CEO Richard Horne says nation-state attacks, AI and the looming quantum threat require stronger global collaboration
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businessesNews Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
NCSC issues alert over Russian hacker campaign targeting SOHO routersNews The APT28 group has exploited vulnerable internet routers to covertly reroute internet traffic through malicious servers