Attackers cracked 75,000 Fortinet firewalls with old passwords, not a zero-day

Security researchers have uncovered a sprawling cache of stolen credentials for Fortinet firewalls, exposing login details for tens of thousands of organisations around the world.

The dataset, dubbed “FortiBleed,” contains plaintext usernames, emails and passwords for 73,932 unique Fortinet FortiGate firewall and VPN devices across 194 countries, touching more than 21,000 domains. Researchers estimate that is roughly half of all Fortinet firewalls currently exposed to the internet.

The names appearing in the data read like a roll call of global industry: Oracle, Chevron, Lenovo, FedEx, Foxconn, Samsung, Comcast, Siemens, PwC and Accenture among them, alongside a NATO defence contractor. According to Ars Technica, Fortinet itself appears in the list.

One instructive part of FortiBleed is what it did not involve: there is no sign of a dazzling new flaw in Fortinet’s software.

A workspace designed for growth, collaboration, and endless networking opportunities in the heart of tech.

Instead, researchers say the attackers scanned the internet for Fortinet devices, tried a curated list of already-known and previously leaked passwords against each one, and recorded every login that worked.

What they lacked in novelty they made up for in scale. The group sprayed hundreds of thousands of login endpoints, intercepted VPN authentication hashes and cracked them on a dedicated 45-GPU cluster, running more than a billion credential attempts. “The scale is the sophistication,” researcher Bob Diachenko told Ars Technica.

Once inside a device, they used it as a listening post, watching the traffic passing through and scooping up any fresh credentials that flowed by. A firewall, the thing meant to keep intruders out, became the perch they watched from.

Diachenko, who found the data on the attackers’ own server, attributes the campaign to a Russian-speaking group. Security firms SOCRadar and Hudson Rock analysed the haul, and researcher Kevin Beaumont independently confirmed the logins are real and current. How the credentials were first obtained, likely from exported FortiGate configuration files, is still unclear.

An important caveat: exposed credentials are not the same as a fully breached network. The leak shows which doors could be opened, not that every organisation behind them was compromised.

The damage is not only theoretical, though. Diachenko says at least four organisations were fully compromised, including a Turkish NATO defence contractor from which classified documents were stolen.

Fortinet disputes the framing. It told reporters the data is “a re