A Russian-speaking criminal crew has compromised nearly 74,000 Fortinet firewall and VPN devices and dumped their plaintext credentials online, handing attackers near-unrestricted access to some of the world's largest organizations. Security researcher Bob Diachenko of SecurityDiscovery.com uncovered the haul after gaining access to the attackers' command-and-control server, and his findings were corroborated by Ars Technica, independent researcher Kevin Beaumont, and the security firm Hudson Rock. Confirmed victims reportedly include Oracle, Chevron, Lenovo, Federal Express, a NATO defense contractor, and Fortinet itself.
What Happened
Diachenko reported that nearly 74,000 Fortinet devices spread across more than 21,000 IP addresses in 194 countries were breached, with their plaintext credentials exposed publicly. According to polling from Shodan, that figure represents roughly half of all Internet-facing Fortinet firewalls worldwide. The exposed dataset went beyond raw logins: it also catalogued each compromised organization's industry, revenue, and employee count, effectively giving the attackers a pre-sorted target list ranked by value.
Kevin Beaumont reported that "almost all" of the compromised devices remained online as of Wednesday morning, and that he confirmed with multiple organizations in the attackers' logs that the credentials were real and current. In many cases the threat actors did not stop at the gateway. After compromising a device, they pivoted to centralized authentication systems, including RADIUS servers and Microsoft Active Directory, turning a single firewall foothold into domain-wide access.
What Was Taken
The core of the breach is a verified database of working credentials for tens of thousands of networks. Hudson Rock described it bluntly: "The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet." Each compromised device functioned as what Diachenko called a "network tap inside the organization," giving attackers a live listening post on enterprise traffic.
Beyond credentials, the attackers harvested SSL VPN authentication hashes intercepted directly from live sessions, plus the enrichment metadata (industry, revenue, headcount) that let them prioritize the most lucrative victims. The breadth is the story here: Hudson Rock noted "the scale of this breach touches nearly every sector of the global economy, sparing no industry."
Why It Matters
Firewalls and VPN gateways are the front door to the network, and they are trusted implicitly by everything behind them. A verified, current credential set for half the Internet-facing Fortinet fleet is not a future risk; it is active access sitting in criminal hands right now. Because the attackers reached RADIUS and Active Directory in many environments, the blast radius extends far past the perimeter device into identity infrastructure that governs every user and system.
The fact that the credentials are confirmed live, and that nearly all compromised devices remained online during reporting, means defenders are racing an adversary who already has the keys. With victims spanning critical sectors, including a NATO defense contractor and major energy, technology, and logistics firms, the strategic exposure crosses from cybercrime into national-security territory.
The Attack Technique
The operation was industrial in scale and notably sloppy in operational security, which is how Diachenko was able to access the C2 server in the first place. The attackers began by mass-scanning the Internet for FortiGate remote login endpoints. They then deployed a custom binary running 25,000 threads to spray hundreds of thousands of those endpoints with thousands of username and password combinations, a brute-force and credential-stuffing campaign at massive throughput.
Successful logins were converted into persistent footholds. Hudson Rock reported the crew went on to "actively intercept SSL VPN authentication hashes and crack them using a massive, dedicated 45-GPU cluster managed via Hashtopolis." That GPU cluster cracked captured hashes at scale, feeding fresh credentials back into the operation and extending access deeper into each victim environment.
What Organizations Should Do
- Treat every Internet-facing Fortinet device as compromised until proven otherwise, and hunt now for signs of unauthorized access rather than waiting for confirmation.
- Rotate all credentials associated with FortiGate devices immediately, including local admin accounts, VPN user passwords, and any service or RADIUS credentials touched by the gateway.
- Force a password reset across centralized authentication systems, especially RADIUS servers and Active Directory, since attackers pivoted to these in many cases.
- Check exposure using Hudson Rock's affected-domain search engine and cross-reference your IP ranges against the disclosed dataset.
- Audit firewall and VPN logs for anomalous logins, new admin accounts, configuration changes, and signs of SSL VPN session interception.
- Enforce phishing-resistant multifactor authentication on all remote access, patch FortiOS to current versions, and restrict management interfaces from public exposure.
Sources: Massive breach spills credentials for thousands of sensitive networks - Ars Technica