CyberCube - Cyber Insurance Analytics

FortiBleed: What Credential Harvesting Means for Cyber (Re)Insurers

Written by William Altman | Jul 3, 2026 7:00:01 AM

Executive Summary

Credential harvesting is becoming a more scalable and industrialized part of the cybercrime economy. Attackers are increasingly using automation, exposed edge infrastructure, and cloud-scale computing to collect and monetize access across thousands of organizations.

The FortiBleed event reflects this shift. For cyber (re)insurers, it highlights how identity compromise can create correlated exposure across many organizations, with losses potentially emerging months or years after credentials are first harvested.

Key Takeaways:

1. Identity compromise is becoming a new source of systemic cyber risk.

FortiBleed demonstrates that large-scale credential harvesting campaigns can create widespread exposure without exploiting a new software vulnerability. As attackers industrialize the collection and monetization of enterprise credentials, shared identity infrastructure is becoming as important a source of cyber risk as shared software vulnerabilities.

2. Attacker economics are shifting toward high-volume campaigns against smaller organizations.

Automation and cloud computing have lowered the cost of acquiring enterprise access, making campaigns against thousands of small and medium-sized organizations economically attractive. This presents an opportunity for cyber insurance brokers to educate clients that cyber risk is not solely determined by company size and that cyber insurance serves as a critical financial backstop when technical controls fail.

3. FortiBleed exposes new challenges for cyber (re)insurance.

For underwriters, the event reinforces the need to evaluate identity security alongside software vulnerability management. For portfolio managers and catastrophe modelers, it demonstrates that a single credential harvesting campaign can produce correlated losses over months or years, creating attribution and accumulation challenges that are difficult to observe and quantify using traditional catastrophe frameworks.

What Happened?

Threat actors staged a multi-month credential harvesting campaign known as FortiBleed, targeting more than 430,000 internet-facing FortiGate firewalls across 194 countries.

According to SOCRadar, the attackers collected more than 110 million credential artifacts and exposed verified administrator and VPN credentials for approximately 74,000 devices. The campaign was active from at least February 2026 into June 2026, with researchers reporting that elements of the operation remained active when it was publicly disclosed. Organizations relying on internet-facing Fortinet appliances for remote access could be affected, making the event global in both scale and impact.

Organizations are investigating whether they were affected. Those that confirm exposure are rotating credentials, revoking active sessions, enforcing multi-factor authentication, upgrading devices, and hunting for evidence of unauthorized access or persistence.

The concern for enterprises and cyber (re)insurers is that attackers may still retain a large inventory of valid enterprise credentials. Even if only a small fraction remain valid because they were overlooked, reused, or belong to service accounts that were not rotated, those credentials could enable ransomware, espionage, business email compromise, or data theft months or even years after the initial campaign.

How the Attackers Did It and Why They Targeted Fortinet

The attackers identified internet-facing FortiGate firewalls, gained access through credential-based techniques, and deployed custom malware that turned the firewall into a collection point for authentication material as users logged in.

Rather than targeting individual computers, the campaign collected authentication data from many users over time. The attackers then used cloud-based GPU computing to crack the stolen authentication material offline, recovering usable credentials and validating enterprise access at scale.

Fortinet appliances were an attractive target because they sit at the edge of an organization's network and manage remote access for employees, administrators, and VPN users. Compromising the authentication gateway allowed attackers to harvest credentials across many organizations through a single technology platform.

Who Is Believed to Be Behind FortiBleed and Why?

Current research indicates that FortiBleed is the work of a financially motivated, Russian-speaking Initial Access Broker (IAB). SOCRadar's investigation suggests the campaign extends beyond Fortinet and is part of a broader, multi-vendor operation designed to harvest credentials, establish verified access to enterprise networks, and monetize that access.

Rather than deploying ransomware directly, Initial Access Brokers acquire and validate access before selling it to other threat actors, including ransomware operators. FortiBleed sought to manufacture verified enterprise access at industrial scale that could be sold or reused long after the initial credential harvesting occurred.

This separation between the initial compromise and the eventual attack also complicates attribution. Months after credentials are harvested, a ransomware incident or data breach may be traced to valid credentials without clear evidence that the access originated from FortiBleed, making it difficult for defenders, insurers, and researchers to connect downstream losses to the original campaign.

What This Means for Cyber Insurance Brokers

FortiBleed highlights how smaller organizations have become viable targets for credential harvesting campaigns. SOCRadar found that organizations with fewer than 200 employees represented a significant share of affected companies. Automation has changed attacker economics. Rather than pursuing a small number of large enterprises, threat actors can now profit by compromising thousands of smaller organizations at scale.

The campaign also demonstrates that automated cyber attacks are increasingly global. Organizations across 194 countries were targeted, reinforcing the need for cyber insurance markets to continue developing in emerging regions, where broker-led education can help organizations understand both their cyber risk and the value of risk transfer.

For cyber insurance brokers, this creates two opportunities. The first is to help smaller prospects and clients understand that size alone is no longer an effective measure of cyber risk. A compromised administrator account can disrupt operations, halt revenue-generating activities, interrupt supply chains, and result in the loss or encryption of critical data. For many small businesses, the financial impact of these disruptions can exceed the cost of recovering the affected systems. Credential security is therefore more than an IT issue; it is a business risk.

The second is to demonstrate how cyber insurance complements technical controls. Organizations should continue investing in multi-factor authentication, strong password policies, and continuous monitoring. However, FortiBleed shows that even well-managed organizations can become caught up in large-scale identity compromise campaigns. When preventive controls fail, cyber insurance provides financial protection as well as access to incident response, forensic investigators, legal counsel, breach response services, and other resources that help organizations recover and resume operations.

What This Means for Cyber Underwriters

Despite recent attention on how AI may accelerate vulnerability discovery and exploit development, FortiBleed shows that significant cyber losses can occur without a newly disclosed software vulnerability. Organizations with fully patched systems remain exposed if attackers obtain valid credentials.

For underwriters, this reinforces the importance of assessing identity security alongside traditional vulnerability management.

Key underwriting considerations include:

  • Is multi-factor authentication enforced for VPN and privileged accounts?

  • Are privileged and service account credentials regularly rotated?

  • Can the organization detect and respond to credential compromise?

  • Are internet-facing remote access technologies securely configured and administered?

Underwriters can use CyberCube's Account Manager to identify, at the point of underwriting, the internet-facing remote access technologies that an organization relies on, including Fortinet devices.

Future campaigns may target technologies other than Fortinet, but the underlying lesson is the same: an organization's ability to protect, monitor, and respond to compromised credentials will continue to influence the likelihood and severity of a cyber loss.

What This Means for Reinsurers and Portfolio Risk Managers

FortiBleed demonstrates how a single technology platform can create correlated exposure across a cyber insurance portfolio. Portfolio managers should identify concentrations of firewall, VPN, and remote access technologies that could become targets for future credential harvesting campaigns.

CyberCube's Single Point of Failure (SPoF) Intelligence solution enables insurers to identify concentrations of exposure to shared technologies, including firewall and VPN vendors, across their portfolios.

CyberCube has issued guidance to customers on how to use its SPoF Intelligence solution to identify and quantify potential exposure to Fortinet and other firewall and VPN technologies across their portfolios. For further information on assessing exposure to emerging cyber events, contact us.

FortiBleed also highlights an ongoing challenge in cyber portfolio risk modeling. Credential harvesting campaigns decouple the initial compromise from the eventual loss, making this kind of correlated portfolio risk difficult to observe, attribute, and quantify.

Credential harvesting campaigns may generate losses months or even years later. This creates attribution and aggregation challenges. Downstream ransomware, business email compromise, or data theft may occur long after the initial credential harvesting, making it difficult to determine whether an attack originated from FortiBleed or another source of credential compromise.

In practice, each affected organization is typically viewed as having experienced its own security failure, with losses driven by the configuration, credential hygiene, and security controls of its individual environment. As a result, many downstream breaches stemming from a single credential harvest are not recognized or modeled as a single catastrophic event.

As identity compromise campaigns become more common, portfolio risk managers and catastrophe modelers may increasingly seek to identify and quantify these shared upstream causes of loss. Doing so could provide a view of how a single credential harvesting operation can generate correlated claims that emerge gradually across a portfolio over an extended period.

The Significance of Cloud-Scale Password Cracking 

FortiBleed demonstrates how threat actor capabilities continue to evolve. The attackers harvested password hashes and other authentication material rather than plaintext passwords. They then used rented cloud GPU infrastructure to crack that data offline, recovering usable credentials and validating enterprise access at a scale that would have been prohibitively expensive only a few years ago.

Cyber (re)insurers should note, FortiBleed is a signal that the barrier to conducting large-scale identity compromise campaigns is lowering. Rather than compromising individual organizations, threat actors can build inventories of verified enterprise credentials that are monetized over time. This fundamentally changes the economics of cybercrime by making credential harvesting more efficient, repeatable, and profitable.

FortiBleed is unlikely to remain an isolated case. As cloud computing and automation continue to reduce the cost of credential harvesting, similar campaigns are likely to target additional identity providers, VPN platforms, remote access technologies, and other authentication systems. For defenders and insurers alike, this reinforces that identity is still one of the most important attack surfaces to protect.