Attackers stole credentials from 75,000 Fortinet firewalls across 194 countries

If you run a Fortinet firewall, the math is simple and uncomfortable: security researchers say attackers accessed around 75,000 Fortinet firewall devices and stole credentials, affecting organizations across 194 countries.

Hudson Rock, which analyzed the data, said the leak affects 21,632 unique domains. It also claims the stolen FortiGate passwords belong to accounts tied to multinational corporations including FoxConn, Samsung, Comcast, Siemens, Lenovo, FedEx, PxW, Accenture, Oracle and many others. The immediate consequence is not theoretical. The reporting describes cases where attackers gained full network compromise, and the stolen credentials were verified by researchers and other security teams.

Here is why this matters to decision-makers, not just technicians: a firewall is supposed to be the checkpoint. If the credentials on that checkpoint are valid, attackers do not need to find a new vulnerability. They need to log in. The reporting specifically urges organizations to rotate all passwords associated with Fortinet VPN and administrative interfaces and to ensure multi-factor authentication is turned on. The concern is straightforward: credential leaks can translate into full remote access to the firewall and potentially the entire corporate network.

The attack story also includes numbers that explain the scale and the method. Researcher Volodymyr “Bob” Diachenko said he first spotted the intrusions and attributed them to a Russian-speaking group. In his write-up, he said the operation intercepts SSL VPN authentication, cracks hashes on a 45-GPU cluster managed via Hashtopolis, then pivots into internal Active Directory environments. He also wrote that the operation processed 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 MSSQL servers.

The same reporting says at least four organizations were fully pwned, including a Turkish NATO defense contractor, where Diachenko claims stolen classified defense documents. The implication for boards and auditors is not only “were credentials exposed,” but also “what happened after authentication worked.” If valid logins were used to pivot into Active Directory, then the blast radius can extend into identity systems that govern everything from file access to production systems.

Other verification details push this from rumor into something closer to an operational checklist. Security sleuth Kevin Beaumont also verified the stolen credentials and said “the data is legit.” He wrote that he worked with several organizations listed and could confirm the logins and passwords are real. Beaumont also noted that many compromised Fortinet devices are on fairly recent patches, which matters because it blurs the usual boundaries between “patchable exploit” and “credential-focused intrusion.”

Scale gets more concrete when you look at the device landscape. According to Shodan, the massive heist comprises about half of all internet-facing Fortinet firewalls. Plus, Beaumont noted most compromised Fortinet devices remain online. That combination, internet-facing exposure plus persistence, is exactly what turns a credential leak into a continuing risk rather than a one-time incident. In other words, the attacker does not have to start from scratch every day.

One complication that organizations should pay attention to is the vendor response. After this story was first published, Fortinet responded and denied that the attacks are fresh. Fortinet claimed the data on the dark web comes from prior breaches. In a statement to The Register, a Fortinet spokesperson told El Reg: “Based on our analysis, the data involved is a resharing of data from previous incidents, as well as bruteforcing of credentials, and is not related to any recent incident or advisory.” The spokesperson added that organizations following routine best practices, including regularly refreshing security credentials, face minimal risk from credential compromise, referencing detail in a March blog. The reporting also notes The Register reached out to affected companies; Lenovo said it was looking into it, and the rest did not respond.

So what should executives and boards do with the uncertainty about “fresh versus old”? Either way, the operational action is similar: if your organization’s domains are included, treat the credentials as compromised. Even if Fortinet is correct that the data is reshared and partially driven by bruteforcing, working passwords are still working passwords. And because Fortinet devices are widely deployed as the gate to VPN and administrative interfaces, credential validity can create outsized business risk in a short window.

For peers, the lesson is also bigger than one vendor. Credential theft at this scale hits identity and access governance, which are foundational to regulatory readiness, incident response readiness, and insurance posture. When a leak touches many sectors and spans nearly every region, the board-level question becomes: do we have a process that can rotate, validate, and enforce MFA quickly across edge devices and remote access paths, not just across apps? The names and counts in this story make it clear that the stakes are global, and the threat is immediate wherever FortiGate credentials remain reusable.