Summary4 min read

Cybersecurity Today: "FortiBleed: Fortinet Says It's Not a Bug"

Host: David Shipley
Date: June 24, 2026

Episode Overview

In this episode, David Shipley examines several new cybersecurity incidents affecting millions: a major healthcare data breach, a vendor-related leak at Texas Parks and Wildlife, and a high-profile attack on a crypto trading bot. The central focus is on the ongoing "FortiBleed" campaign targeting Fortinet devices—where Fortinet insists there’s no vulnerability—alongside fresh trouble at LastPass due to a third-party breach. Throughout, Shipley highlights the persistent challenges of password management, the evolving threat landscape, and the lasting impact on affected individuals and organizations.

Key Discussion Points & Insights

1. Axalis Healthcare Data Breach

[00:13–02:03]

Incident Details:
- Axalis, an AI-powered healthcare tech company with over 600 clients, suffered a targeted phishing attack (Jan 20).
- Data for 1.4 million people was exposed, including names, addresses, dates of birth, health insurance information, Social Security numbers, and medical treatment information.
Impact:
- The breach affects both patients and insurers, with particularly sensitive data at stake.
Immediate Response:
- Axalis contained the breach within two days and brought in external investigators.

2. Texas Parks and Wildlife Department Breach

[02:04–03:07]

Breach Source:
- Over 3 million Texas hunting and fishing license holders had personal data exposed via a third-party vendor, not the department’s own systems.
Data Compromised:
- Email addresses, physical addresses, phone numbers, driver’s license info, and some passport numbers.
- Social Security numbers, birth dates, financial data, and those under 18 were reportedly not affected.
Attribution and Ongoing Risk:
- The identity of both the vendor and the attackers remains unknown.
Quote:

“Those two breaches had real victims, people who handed over their data and trusted someone to guard it.” — David Shipley [03:08]

3. Crypto Bot 'Jared from Subway' Hacked

[03:09–05:09]

What Happened:
- An Ethereum MEV (Maximal Extractable Value) bot, “Jared from Subway,” was tricked by an attacker into "buying" fake trading opportunities, resulting in a $15 million loss.
- The attacker engineered fake liquidity pools to bait the bot, then drained the funds once the bot engaged.
Aftermath:
- The group behind the bot offered a $3 million bounty for the return of funds, later escalating to a 50/50 split. The attacker has not responded.
Broader Lesson:
- Automation can be a double-edged sword:
“Automation has no instinct. A bot built to act on opportunity without judgment will act on a fake one just as fast as a real one.” — David Shipley [05:00]

4. FortiBleed—Fortinet Responds

[05:10–06:13]

Campaign Summary:
- Over 430,000 Fortinet devices are being targeted in what’s been dubbed “FortiBleed.”
- Fortinet's stance: “This isn’t a vulnerability. They say there’s no flaw, no patch and no advisory to wait on.” [05:22]
Attack Dynamics:
- Attackers are using a trove of over 110 million credentials against Fortinet and other internet-facing platforms.
- Activities align with Moscow business hours, and attackers prioritize targets by economic value.
Recommended Actions:
- Reset admin and VPN credentials, enable MFA, update to current releases, restrict firewall management access, and audit for unknown accounts.
- Shipley notes:
  
  “None of this advice is new, and that’s part of the problem.” [06:10]

5. LastPass & CLU Breach Fallout

[06:14–08:00]

What Happened:
- Hackers breached CLU, a market research firm, stealing OAuth tokens and accessing Salesforce data for clients like LastPass.
- LastPass customer data—names, email addresses, phone numbers, addresses, support case records, and sales data—was accessed, but not password vaults.
Concerns About Support Tickets:
- Support tickets frequently contain sensitive information users include by mistake, such as credentials or IDs.
Wider Impact:
- Other security firms (HackerOne, Recorded Future, Tanium) were also hit.
- Threat actor “Icarus” claims responsibility and has threatened to leak data unless paid.
Reference to Past Pain:
- In 2022, LastPass suffered a breach of its password vaults, leading to subsequent cryptocurrency thefts from cracked accounts:
  
  “This is an unwelcome return to the headlines, and it’s likely to bring back some painful memories.” — David Shipley [07:54]

Notable Quotes & Memorable Moments

“A bot built to act on opportunity without judgment will act on a fake one just as fast as a real one.” — David Shipley [05:00]
“None of this advice is new, and that’s part of the problem.” — David Shipley [06:10]
“This is an unwelcome return to the headlines, and it’s likely to bring back some painful memories.” — David Shipley [07:54]

Important Segment Timestamps

Axalis Healthcare Breach: 00:13–02:03
Texas Parks and Wildlife Breach: 02:04–03:07
Crypto Bot Hack: 03:09–05:09
FortiBleed/Fortinet Response: 05:10–06:13
LastPass/CLU Breach: 06:14–08:00

Episode Tone and Takeaways

Shipley remains matter-of-fact yet empathetic, emphasizing real-world impact and the recurring nature of common security failures. He sends a clear warning: even as technology advances, basic security hygiene remains critical—and all too often neglected, enabling attackers to reap recurrent rewards.

This summary covers all major content areas, focusing on facts, context, and expert commentary to keep you fully informed if you missed the episode.

Loading summary

Transcript1 lines

[00:00]
A
A phishing attack at a health tech firm nets the data of nearly 1.4 million people. Cybercriminals bag 3 million Texans personal information A crypto bot built to pounce on opportunity gets fed a fake one and pays dearly for it. Fortinet comes out on fortableed. It's not a bug. This is Cybersecurity Today and I'm your host, David Shipley. Let's get started. A phishing attack has cost a US healthcare technology firm the personal data of nearly 1.4 million people. The company is called Axalis, and it builds AI powered software used by more than 600 hospitals and health insurers. Its platform, Dragonfly, reads clinical data in real time to guide decisions on patient care and insurance coverage. That includes medical necessity reviews, patient status, discharge planning and reimbursement. According to Bleeping Computer. The Trouble started on January 20th. A targeted phishing attack gave intruders their foothold in the Axolis network. The company caught the unauthorized activity two days later on January 22, contained it and brought in outside experts. The investigation found the attackers reached files holding customer information. The list is the kind of data that does real damage. Names, addresses, dates of birth, health insurance details, Social Security numbers, and most painfully of all, medical treatment information were all lost in the breach. Axalis isn't the only organization explaining a breach. This week, 3 million people who just wanted to hunt or fish in Texas have had their personal data exposed. The Texas Parks and Wildlife Department has disclosed a breach, and like a lot of breaches lately, it didn't happen on their own system. According to Security Week, the department learned from the Texas Cyber Command that a third party vendorthe company that sells hunting and fishing licenses had been hacked. The data taken is enough to do harm. Email addresses, physical addresses, phone numbers, driver's license information and in some cases, passport numbers. More than 3 million license holders may be caught up in the breach. There is some good news. The department says Social Security numbers, dates of birth and financial information were not taken and there's no evidence and anyone under 18 was caught up in the breach. Who the vendor is and who the criminal group is behind the attack are both still unknown. Those two breaches had real victims, people who handed over their data and trusted someone to guard it. This next one may be a little bit harder to feel sorry for. An Ethereum trading bot called Jared from subway has lost $15 million. It lost it the same way it made it automatically, except this time the bot got played. Jared from Subway is what's known as a maximal Extractable value bot or an mev. It's one of Ethereum's most aggressive sandwich bots. What's a sandwich bot? Well, this is the kind of bot that spots your pending trade on the blockchain. It buys in just ahead of you, lets your trade push the price up and then sells right after you end up with a worse price. The bot pockets the difference. It's legal, but it's far from loved in the crypto trading community. It reportedly costs traders up to $60 million a year. The bot's whole job is to scan for profitable opportunities and pounce in milliseconds. A clever attacker built it some irresistible opportunities. According to bleeping computer, the attacker deployed fake pools and tokens engineered to look like rich targets for an MEV. The bot took the bait. Over 90 wrapped ether was sitting approved in an attacker controlled smart contract. Then they drained it. Ether, USDC and USDT pulled straight out Blockchain security firm Blockade caught it. On Saturday. The organization behind Jared from subway offered a 3 million dollar bounty for the funds back. There was no reply. Then they escalated. They're letting the attacker keep half and want them to return the other half within 48 hours. There's been no deal. Confirmed. And Jared from Subway, they say they're not backing down. They say they're still king of the mevs and that they have no plans to shut the bot off. Here's the key lesson. Automation has no instinct. A bot built to act on opportunity without judgment will act on a fake one just as fast as a real one. Build a machine that trusts what it sees and someone will eventually show it exactly what it wants to see. And the old adage is just as true for bots. Sometimes some offers are too good to be true. We have an update on fortableed, the massive campaign that's targeted more than 430,000 Fortinet devices. And it's a story we've been tracking over the last two weeks. Fortinet has now weighed in. This isn't a vulnerability. They say there's no flaw, no patch and no advisory to wait on the hacker. News reports that researchers tie this to a broader operation that's been leveraging over 110 million credentials against Fortinet and a half dozen other Internet facing platforms. It's worth noting that this campaign looks like it's running on Moscow business hours. And attackers ranked their targets by economic value before they invested any effort. The advice from Fortinet on fortableed is sadly basic reset, admin and VPN credentials to turn on MFA everywhere and upgrade to a current release. And it's always a good idea to keep your firewall management access off the public Internet and to check your logs for accounts you don't recognize. None of this advice is new, and that's part of the problem. Weak passwords are one problem. Attacks on companies you pay to manage your passwords are another. LastPass is sadly back on a breach notification list. According to TechCrunch, LastPass is notifying customers that their data was stolen, though to be fair, this time not from LastPass itself. LastPass was caught up in the recent CLU breach that we covered on Monday. CLU is the market research firm whose OAuth tokens were stolen and have dragged in a parade of security firms into a data breach mess. Hackers got into CLU and then used their OAuth tokens to help themselves to data about LastPass customers stored on Salesforce. That includes names, phone numbers, email addresses, physical addresses, plus customer support, case records and sales data. LastPass says its own infrastructure was untouched, and crucially, the password vaults were not affected. Now about those support tickets. Nobody yet knows exactly what's in them, but support tickets are often where people paste things that they shouldn't, and past breaches elsewhere have Surface credentials and even government ID tucked inside support tickets. When it comes to the clue breach, LastPass isn't a loan. It also hits security firms HackerOne, Recorded Future, and Tanium Icarus, a newer name on the criminal scene, has claimed responsibility for the LastPass breach and is threatening to leak the data unless it gets paid for LastPass. This is an unwelcome return to the headlines, and it's likely to bring back some painful memories. In 2022 attackers stole LastPass's entire store of customer password vaults. The vaults were encrypted, but customers with weak master passwords were exposed because thieves could crack them at their leisure offline. Researchers later linked a string of crypto thefts to those cracked vaults. And that's Cybersecurity today for Wednesday, June 24th. Thanks for listening. I'll be back on the news desk on Friday with the latest headlines. If you like the show, please tell a friend. We've grown tremendously this year thanks to listeners like you, liking sharing and leaving ratings and reviews. Thank you so much. I've been your host, David Shipley. Have a great rest of your week.