Massive password-stealing attack hits 75k Fortinet firewalls

Jump to main content

Search

REG AD

CYBER-CRIME

Massive password-stealing attack hits 75k Fortinet firewalls

Why are you even reading this?! Rotate your passwords!!

Jessica Lyons

Jessica<br>Lyons

Published<br>wed 17 Jun 2026 // 18:27 UTC

UPDATED If you have a Fortinet firewall, it's time to stop and change your passwords. Intruders somehow gained access to around 75,000 Fortinet firewall devices and stole credentials belonging to major corporations across 194 countries, in some cases leading to full network compromise.<br>Security researchers say that they have verified the data, and the cracked FortiGate passwords belong to accounts spanning multinational corporations including FoxConn, Samsung, Comcast, Siemens, Lenovo, FedEx, PxW, Accenture, Oracle and many others.<br>Check to see if your organization made the list of affected domains – and immediately rotate all passwords associated with Fortinet VPN and administrative interfaces.

REG AD

Make sure multi-factor authentication is turned on, too, as this type of massive credential leak can lead to very serious consequences, giving attackers full, remote access to not only the firewall but the entire corporate network.

REG AD

Hudson Rock, which analyzed the data, said the leak affects 21,632 unique domains.<br>“The scale of this breach touches nearly every sector of the global economy, sparing no industry. The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet,” the security shop said on its Infostealer blog.

MORE CONTEXT

Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others

AWS says more than 600 FortiGate firewalls hit in AI-augmented campaign

Attackers exploited this critical FortiClient EMS bug as a 0-day

Three critical Fortinet sandbox bugs splattered by unknown attackers

Researcher Volodymyr “Bob” Diachenko first spotted the intrusions and attributed them to a Russian-speaking group.<br>“They intercept SSL VPN authentication, crack hashes on a 45-GPU cluster managed via Hashtopolis, and pivot into internal Active Directory environments,” he wrote on LinkedIn. “The operation processed 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 MSSQL servers.”<br>Plus, according to Diachenko, the criminals fully pwned at least four organizations, including a Turkish NATO defense contractor, and, in that case, stole classified defense documents.<br>Security sleuth Kevin Beaumont, who also verified the stolen credentials, said “the data is legit.”<br>“I have worked with several orgs listed, and can confirm the logins and passwords are real,” Beaumont wrote. “Many of the devices sampled are on fairly recent patches.”<br>According to device search engine Shodan, the massive heist comprises about half of all internet-facing Fortinet firewalls. Plus, Beaumont noted, most of the compromised Fortinet devices remain online.

REG AD

So if you’re still reading this story: stop now, and go reset your Fortinet firewall passwords stat.<br>After we first published this story, Fortinet responded to us, denying that the attacks are fresh and claiming that the data showing up on the dark web comes from prior breaches.<br>"Based on our analysis, the data involved is a resharing of data from previous incidents, as well as bruteforcing of credentials, and is not related to any recent incident or advisory," a Fortinet spokesperson told El Reg. Organizations that follow routine best practices, including regularly refreshing security credentials, as per guidance in this March blog, face minimal risk from credential compromise detail referenced in the reporting.”<br>The Register reached out to the companies affected by the so-called FortiBleed campaign for comment, Lenovo said it was looking into it; we didn't receive responses from the others. ®<br>Updated at 2118 with a statement from Fortinet.

security<br>fortinet<br>fortigate<br>firewalls<br>credential theft<br>cyber-crime

REG AD

Oracle support timelines for Fusion Middleware tighter than expected

Big Red drops ominous mention of 'Market Driven Support' beyond 2027 - but there's good news for AIX users

RoachFest London 2026: The database as competitive asset

SPONSORED POST: Operate without fear. Build with confidence. Adapt to the AI era

Digital sovereignty needs an operating model

PARTNER CONTENT Europe wants control over its own technology, but what does that look like?

cyber-crime

Cyber offenses now account for around a third of all crime across Asia and South Pacific

Latest Interpol review shows how scams continue to dominate, and AI-enabled attackers prove too hot to handle for cash-strapped regions

PAAS AND IAAS

Graviton 5 impresses, but please, for the love of all that's holy, stop calling them 'AI chips'

AWS better at running chip fabs than their mouths

AI + ML

Estonia intends to recognize AI agents with digital IDs

I am not a number! I...