Recent Breaches
Breaches
2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen
View All →
Breaking NewsUpdated as information becomes available
Back to Knowledge Vault
Breach AnalysisBreaking8 July 20263 min read

NCSC warns UK organisations over global Fortinet firewall and VPN credential leak

The National Cyber Security Centre has issued an alert after a threat actor leaked a database of credentials harvested from brute-force and credential-stuffing attacks against internet-facing Fortinet firewalls and VPN gateways. UK organisations using FortiGate or Fortinet VPN portals are urged to investigate exposure and apply mitigations immediately.

Mark Fermor

Mark Fermor

Director & Co-Founder, Firevault

Share
Row of rack-mounted network firewall appliances in a dim data centre corridor lit with cool blue and magenta accent lighting

The National Cyber Security Centre (NCSC) has issued an alert to organisations using Fortinet firewalls and VPN gateways, following a global campaign that has produced a leaked database of credentials for internet-facing FortiGate and Fortinet VPN portals. The NCSC has indicated potential impact in the UK and is urging affected organisations to act without delay.

What has happened

A threat actor has published a database of credentials gathered through brute-force, dictionary and credential-stuffing attempts against internet-facing FortiGate devices and Fortinet VPN portals. Credential stuffing relies on username and password combinations stolen from unrelated services being reused on other systems, so any organisation whose staff or administrators reuse passwords is at heightened risk.

Who is affected

The NCSC advises that any organisation exposing Fortinet firewall management or VPN services to the internet should assume it may be in scope. Organisations should use one of the FortiBleed asset checkers referenced by the NCSC to test any domains that could have been targeted, and should treat a positive result as a compromise until proven otherwise.

Why this matters

Firewalls and VPN gateways sit at the perimeter of the network. A working credential for one of these devices gives an attacker a foothold that bypasses most internal controls, opening the door to lateral movement, data theft, deployment of ransomware and quiet persistence via new administrator accounts or VPN tunnels. Because these devices are trusted by design, malicious activity through a valid login is often difficult to distinguish from legitimate remote access.

NCSC recommended actions

  • Patch immediately. Apply the latest Fortinet firmware for FortiOS, FortiGate and Fortinet VPN products.
  • Rotate every credential. Reset all local, administrator and VPN user passwords, and revoke API keys and long-lived tokens.
  • Enforce multi-factor authentication on all remote access and administrative logins, without exception.
  • Review logs for unexpected successful logins, new accounts, configuration changes, unfamiliar VPN tunnels and traffic to unusual destinations.
  • Reduce exposure. Restrict management interfaces to trusted networks and place VPN portals behind additional access controls.

The offline alternative

The Fortinet campaign is a reminder that every internet-connected control is, in the end, reachable. Perimeter devices can be patched, hardened and monitored, but they cannot be made unreachable while they remain online. Firevault takes a different approach at the storage layer. Data protected by Layer 1 physical air gap storage is physically disconnected from any network by default, so a stolen VPN credential, a compromised firewall or an attacker moving laterally through the estate has no route to it. The perimeter can fail, and the crown-jewel data still cannot be read, exfiltrated or encrypted.

Key takeaways

  • Assume exposure. If Fortinet VPN or firewall management has been reachable from the internet, check with a FortiBleed asset checker and treat any hit as a compromise.
  • Credentials are the currency. The leaked database exists because passwords were reused and rarely rotated. Multi-factor authentication and unique credentials remove most of the value.
  • Perimeter controls are not a last line of defence. They are the first line, and they will occasionally fall. Plan for that reality.
  • Air gap the data that must not be lost. If it is not on the network, it cannot be reached through a compromised firewall or VPN.

Analysis by Mark Fermor, Firevault.

About the author

Mark Fermor

Mark Fermor

Director & Co-Founder

Co-founder of Firevault, focused on offline secure storage and protecting individuals and businesses from fraud, fines, loss and damage. Speaker, owner and advisor.

Share this article

Breaking News
Breach Analysis8 July 20263 min read

NCSC warns UK organisations over global Fortinet firewall and VPN credential leak

The National Cyber Security Centre has issued an alert after a threat actor leaked a database of credentials harvested from brute-force and credential-stuffing attacks against internet-facing Fortinet firewalls and VPN gateways. UK organisations using FortiGate or Fortinet VPN portals are urged to investigate exposure and apply mitigations immediately.

NCSC warns UK organisations over global Fortinet firewall and VPN credential leak
Mark Fermor
Published by Mark Fermor, Director & Co-Founder