74,000 Fortinet firewalls breached, leaking plaintext credentials
Key Takeaways
- Nearly 74,000 Fortinet devices across 194 countries were compromised, with plaintext credentials now exposed online.
- Major organizations affected include Oracle, Chevron, Lenovo, FedEx, Samsung, and a Turkish NATO defense contractor from which classified documents were stolen.
- Attackers used a 45-GPU cluster and a 12-level recursive password cracking system to move from firewall access to full Active Directory compromise.
Security researchers have discovered that Russian-speaking attackers compromised nearly 74,000 Fortinet firewalls across 194 countries, exposing plaintext credentials for some of the world's largest organizations. The victims include Oracle, Chevron, Lenovo, Federal Express, Samsung, Foxconn, Comcast, Siemens, PwC, Accenture, and Fortinet itself. A Turkish NATO defense contractor had classified documents stolen.
Bob Diachenko, head of SecurityDiscovery.com, found the data after gaining access to the attackers' command-and-control server. The exposed information went beyond credentials. It included each compromised organization's industry, revenue, and employee count.
How big is this Fortinet breach?
The 74,000 compromised devices represent roughly half of all internet-facing Fortinet firewalls, based on Shodan polling. Independent researcher Kevin Beaumont confirmed that "almost all" of the affected devices remained online as of Wednesday morning. He verified with multiple organizations that the leaked credentials are real and still active.
The top countries with compromised devices were India, the United States, Taiwan, Mexico, Turkey, and Thailand. IT services, construction materials, telecommunications, industrial equipment, and financial services took the hardest hits. Hudson Rock, a security firm that analyzed the data, said the database lists thousands of organizations including major government agencies and critical infrastructure providers.
How did the attackers crack thousands of firewalls?
The operation combined brute force at scale with genuine technical sophistication. Attackers began by mass-scanning the internet for FortiGate remote login endpoints. They then deployed a custom binary with 25,000 threads to spray hundreds of thousands of those endpoints with login and password combinations.
Each successful login gave the attackers what Diachenko called "a network tap inside the organization." From there, they intercepted SSL VPN authentication hashes and cracked them using a dedicated 45-GPU cluster managed through Hashtopolis.
The password cracking itself was unusually clever. The attackers ran what Hudson Rock described as a "feedback-driven, 12-level recursive system." Password candidates came from custom dictionaries with up to eight words, common keyboard patterns, and specialized cracking rules. Each successful guess was fed back as a seed to generate new candidates. The system got smarter with every password it broke.
"The scale is the sophistication," Diachenko said. Once inside, the attackers moved laterally to compromise Active Directory environments and other centralized authentication systems like Radius servers.
Why did this work so well?
Firewalls have long been a favorite entry point for attackers. They accept connections from the outside internet, sit at the network perimeter, and have access to valuable resources inside. Exposing administrative interfaces to the public internet is a known risk that many IT departments have failed to address.
The irony is that the attackers made amateur operational security mistakes. They left artifacts on their command-and-control server, which is how Diachenko found them. In hacker circles, this is considered sloppy. But it did not slow down the campaign.
What should organizations do now?
Diachenko, Beaumont, and Hudson Rock all urged Fortinet users to investigate their networks immediately for signs of compromise. Hudson Rock released a search engine for locating affected domains.
- Check if your organization's domains appear in the leaked database using Hudson Rock's lookup tool.
- Rotate all credentials associated with Fortinet devices, even if you do not find evidence of compromise.
- Audit Active Directory and Radius server logs for unusual authentication patterns.
- Disable public internet access to administrative interfaces.
- Implement phishing-resistant MFA for all network administration tasks.
The incident has reignited debate over exposing management interfaces to the public internet. Security professionals have warned about this practice for years. This breach demonstrates the consequences at scale.
What does this mean for enterprise security?
The "FortiBleed" campaign, as some researchers are calling it, marks an escalation in industrial-scale cyber espionage. By compromising the firewall, the first line of defense, attackers turned victim organizations' own security infrastructure against them. The combination of automated credential stuffing and GPU-accelerated hash cracking is not new. What's new is the scale and the systematic targeting of enterprise perimeter devices.
Organizations that assumed their firewall was the trusted boundary now face an uncomfortable reality: if your Fortinet device was exposed to the internet, assume it was compromised. Act accordingly.
Frequently Asked Questions
How many Fortinet devices were compromised in this breach?
Nearly 74,000 Fortinet devices from more than 21,000 IP addresses across 194 countries were compromised, representing roughly half of all internet-facing Fortinet firewalls.
Which organizations were affected by the Fortinet breach?
Confirmed victims include Oracle, Chevron, Lenovo, FedEx, Foxconn, Samsung, Comcast, Siemens, PwC, Accenture, Fortinet itself, and a Turkish NATO defense contractor. Thousands of other organizations, including government agencies, were also affected.
How did attackers crack Fortinet firewall credentials?
Attackers used a 45-GPU cluster to crack intercepted SSL VPN authentication hashes. They employed a 12-level recursive system where each successful password guess generated new candidates, making the cracking more effective over time.
How can I check if my organization was affected?
Hudson Rock released a search engine that allows organizations to check if their domains appear in the leaked database. Security researchers recommend immediate network investigation regardless.
What should Fortinet users do to protect themselves?
Rotate all Fortinet-associated credentials, audit AD and Radius logs, disable public internet access to admin interfaces, and implement phishing-resistant MFA for all network administration.
Logicity's Take
The most striking detail here is not the breach itself but the economic logic behind it. Building a 45-GPU cracking cluster and a 25,000-thread scanning tool costs money. The attackers built verified dossiers on victim organizations with revenue and employee counts, which suggests they intended to sell access or data, not just steal it. This is a breach-as-a-service operation, and its customers could include ransomware gangs, state actors, or corporate espionage outfits. The victims are not just compromised. They are inventory.
Proactive security configuration advice for enterprise IT
Need Help Implementing This?
If your organization uses Fortinet devices and you need help auditing your network for signs of compromise, or implementing stronger authentication controls, reach out to Logicity's security advisory partners. We can connect you with specialists who handle incident response and perimeter hardening.
Source: Ars Technica
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Robotaxi Companies Are Hiding How Often Humans Take the Wheel
Autonomous vehicle firms like Waymo and Tesla are under scrutiny for refusing to disclose how often remote operators step in to control their self-driving cars. A Senate investigation reveals major gaps in transparency, raising safety and accountability concerns.
Wisconsin Governor Throws a Wrench in Age Verification Plans
Wisconsin Governor Tony Evers has vetoed a bill that would have required residents to verify their age before accessing adult content online, citing concerns over privacy and data security. This move comes as several other states have already implemented similar age check requirements. The veto has significant implications for the future of online age verification.
Apple's App Store Empire Under Siege: The Battle for the Future of Tech
The long-running feud between Apple and Epic Games has reached a boiling point, with Apple preparing to take its case to the Supreme Court. The tech giant is fighting to maintain control over its App Store, while Epic Games is pushing for more freedom for developers. The outcome could have far-reaching implications for the entire tech industry.
Tesla's Remote Parking Feature: The Investigation That Didn't Quite Park Itself
The US auto safety regulators have closed their investigation into Tesla's remote parking feature, but what does this mean for the future of autonomous driving? We dive into the details of the investigation and what it reveals about the technology. The National Highway Traffic Safety Administration found that crashes were rare and minor, but the investigation's closure doesn't necessarily mean the feature is completely safe.
