Hackers breach 73,000 Fortinet firewalls using old passwords
Key Takeaways
- Over 73,000 Fortinet devices compromised globally using leaked passwords, not zero-day vulnerabilities
- Major companies affected include Samsung, Oracle, Accenture, Lenovo, Siemens, and PwC
- Compromised firewalls are being weaponized to harvest more credentials, creating a self-sustaining attack loop
Cybercriminals have breached tens of thousands of Fortinet firewalls and VPNs at major corporations worldwide, and the attack method is embarrassingly simple: old passwords that were never changed.
The campaign, dubbed FortiBleed by researchers, has compromised devices at Accenture, Samsung, Oracle, Lenovo, Siemens, Foxconn, Comcast, and PwC, according to reports published this week by cybersecurity firms Hudson Rock and SOCRadar. Hudson Rock estimates over 73,000 unique Fortinet URLs have been hacked. SOCRadar puts the number above 30,000.
The attackers aren't exploiting some sophisticated zero-day vulnerability. They're scanning the internet for exposed Fortinet devices, then breaking in with lists of previously leaked passwords. Once inside, they turn the firewall itself into a listening post.
How the attack feeds itself
The mechanics are straightforward but devastating. Hackers use automated tools to find Fortinet firewalls and VPNs exposed to the public internet. They try known passwords. When one works, they don't just steal data. They monitor all traffic passing through the device, collecting fresh credentials in real time.
"Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself," SOCRadar wrote in its report.
This self-sustaining loop explains the scale. According to research findings, the campaign has launched over 1.16 billion brute-force and credential-stuffing attempts against Fortinet interfaces. Devices in 194 countries have been affected, with India, the United States, Taiwan, and Mexico seeing the highest concentrations.
Which industries are most exposed?
IT services tops the list of affected industries, followed by construction materials and telecommunications. Government agencies are also among the victims, per SOCRadar. Both security firms attribute the campaign to Russian-speaking threat actors.
The affected companies have been largely silent. Lenovo acknowledged TechCrunch's request for comment but didn't respond. Accenture, Comcast, Foxconn, Oracle, Samsung, Siemens, and PwC didn't reply. Fortinet itself has not commented.
Security researcher Bob Diachenko first reported the campaign over the weekend. Kevin Beaumont analyzed the leaked credential data independently and confirmed it "is legit" in a blog post Wednesday.
Why this keeps happening to Fortinet devices
Fortinet firewalls have been targeted repeatedly in recent years, usually through vulnerabilities in the software. This attack is different. There's no clever exploit chain, no unknown bug. The attackers are simply trying passwords that shouldn't still work.
The root problem is basic credential hygiene. Companies deploy firewalls with default or weak passwords, expose management interfaces to the public internet, and never rotate credentials. When those passwords appear in breach databases, attackers scoop them up.
Discussion on HackerNews has centered on this recurring failure. Users debated whether hardware vendors should enforce stricter security defaults, and whether corporations bear more blame for failing to implement multi-factor authentication or rotate credentials. The consensus: both are culpable, but the immediate responsibility sits with the companies running these devices.
AI-powered automation is changing the threat math
What makes FortiBleed notable isn't the technique. Credential stuffing is old. The scale is new. AI-driven automation tools now allow relatively unsophisticated actors to scan, test, and exploit at speeds that would have required significant infrastructure a few years ago.
The campaign represents a broader shift. Rather than hunting for zero-days, attackers are pivoting to mass automation against known weaknesses. A vulnerable firewall that's been sitting on the internet for three years with unchanged credentials is just as valuable as one with an unpatched bug. Often more valuable, because it's easier to exploit.
For defenders, this changes the priority stack. Patching still matters. But credential rotation, MFA enforcement, and network segmentation are now table stakes, not nice-to-haves.
What affected companies should do now
If you run Fortinet devices, the immediate actions are clear: rotate all credentials, enable multi-factor authentication on management interfaces, and check whether your devices are exposed to the public internet. If they are, move them behind a VPN or restrict access to known IP ranges.
Beyond immediate triage, organizations should assume any exposed Fortinet device may be compromised. Review logs for unusual traffic patterns. Check for new admin accounts or configuration changes. Consider engaging incident response specialists to determine if attackers have pivoted deeper into the network.
Logicity's Take
FortiBleed is a sobering reminder that sophisticated attacks don't require sophisticated techniques. The companies hit here aren't small businesses with no security budget. They're Accenture, Oracle, Samsung, and Siemens. Yet the attackers got in using passwords that should have been changed years ago. The real lesson: no security appliance protects you if you don't secure the appliance itself.
Frequently Asked Questions
What is the FortiBleed attack?
FortiBleed is an ongoing hacking campaign targeting Fortinet firewalls and VPNs. Attackers use automated tools to scan for exposed devices and break in using lists of previously leaked passwords, then harvest additional credentials from network traffic.
Which companies were affected by the Fortinet firewall hack?
According to Hudson Rock, affected companies include Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC. Government agencies in multiple countries have also been compromised.
Is FortiBleed exploiting a Fortinet vulnerability?
No. The attackers are using credential stuffing with leaked passwords, not exploiting a software vulnerability. The attack succeeds because organizations haven't changed default or compromised passwords.
How can I protect my Fortinet devices from FortiBleed?
Rotate all credentials immediately, enable multi-factor authentication, and ensure management interfaces aren't exposed to the public internet. Review logs for signs of compromise and consider engaging incident response if your devices were exposed.
How many Fortinet devices have been compromised?
Hudson Rock estimates over 73,000 unique Fortinet URLs have been hacked. SOCRadar puts the figure above 30,000. Devices in 194 countries have been affected.
Related security hygiene failures that expose users despite protective measures
Need Help Implementing This?
If you're concerned about your organization's exposure to credential-based attacks, contact a cybersecurity specialist to audit your network perimeter and implement proper access controls before attackers find your weak points first.
Source: TechCrunch / Lorenzo Franceschi-Bicchierai
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Robotaxi Companies Are Hiding How Often Humans Take the Wheel
Autonomous vehicle firms like Waymo and Tesla are under scrutiny for refusing to disclose how often remote operators step in to control their self-driving cars. A Senate investigation reveals major gaps in transparency, raising safety and accountability concerns.
Wisconsin Governor Throws a Wrench in Age Verification Plans
Wisconsin Governor Tony Evers has vetoed a bill that would have required residents to verify their age before accessing adult content online, citing concerns over privacy and data security. This move comes as several other states have already implemented similar age check requirements. The veto has significant implications for the future of online age verification.
Apple's App Store Empire Under Siege: The Battle for the Future of Tech
The long-running feud between Apple and Epic Games has reached a boiling point, with Apple preparing to take its case to the Supreme Court. The tech giant is fighting to maintain control over its App Store, while Epic Games is pushing for more freedom for developers. The outcome could have far-reaching implications for the entire tech industry.
Tesla's Remote Parking Feature: The Investigation That Didn't Quite Park Itself
The US auto safety regulators have closed their investigation into Tesla's remote parking feature, but what does this mean for the future of autonomous driving? We dive into the details of the investigation and what it reveals about the technology. The National Highway Traffic Safety Administration found that crashes were rare and minor, but the investigation's closure doesn't necessarily mean the feature is completely safe.
