a credential-harvesting campaign labeled fortibleed has compromised over 430,000 fortigate firewall devices globally, with more than 110 million credentials stolen from live network traffic. the operation has been running since at least february 2026, with an access broker called santaad selling harvested credentials on a russian forum since early 2025. this is structurally significant because fortigate devices are perimeter security infrastructure — the devices meant to stop intrusions are themselves the source of the breach, at a scale that implies systemic exposure across organizations globally.