A breach of Fortinet firewalls has handed Russian-speaking attackers live credentials for some of the world's largest organizations.
Security researcher Bob Diachenko accessed the attackers' command-and-control infrastructure and found plaintext credentials for nearly 74,000 Fortinet devices spanning more than 21,000 IP addresses in 194 countries. The affected organizations include Oracle, Chevron, Lenovo, FedEx, a NATO defense contractor, and Fortinet itself. The stolen data went beyond login credentials; it also catalogued each target's industry, revenue, and employee count, suggesting deliberate targeting rather than purely opportunistic scanning. Independent researcher Kevin Beaumont confirmed with multiple affected organizations that the credentials are real and current.
In many cases, the attackers did not stop at the firewall. Once inside, they pivoted to centralized authentication systems, including Microsoft Active Directory and Radius servers, which can give an attacker access to an organization's entire network. Based on Shodan polling, the 74,000 compromised devices represent roughly half of all internet-facing Fortinet firewalls worldwide, making this less a targeted espionage operation and more an industrial-scale credential harvest.
Fortinet is itself among the victims, which makes for an uncomfortable headline for a company selling perimeter security. Whether organizations have patched fast enough to matter is a separate question; Beaumont noted that "almost all" compromised devices were still online days after the breach was first reported.