Fortinet Password Leak Exposes Half of Internet-Facing Firewalls

A staggering 75,000 Fortinet firewalls—nearly half of all internet-facing devices of its kind—have had their admin credentials exposed in a new breach. The leak, discovered by security researcher Bob Diachenko, includes plaintext passwords, usernames, and email addresses that could give attackers direct access to critical network infrastructure.

A Widespread and Immediate Threat

The compromised data spans 194 countries and 21,634 unique domains, with high-profile organizations like Foxconn, Samsung, Comcast, Siemens, and even Fortinet itself appearing in the dataset. Security expert Kevin Beaumont confirmed the legitimacy of the leak, noting that credentials were verified as working across multiple organizations. The dataset appears to be recent, sourced from device configuration exports rather than an older vulnerability.

How the Attack Unfolded

Investigators found evidence suggesting a Russian-speaking threat group conducted over 1.16 billion credential attempts against Fortinet targets. The group used a 45-GPU cluster to crack intercepted SSL VPN authentication hashes, enabling them to harvest plaintext passwords. Further analysis revealed logs and tooling linked to the attackers, including scripts and connection strings, left exposed in an open directory. The breach also extended to over 163,000 Microsoft SQL Server systems, signaling a broader campaign.

Critical Infrastructure at Risk

Among the affected entities, a Turkish NATO defense contractor reportedly had classified documents stolen. Multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey were described as fully compromised. With the Fortinet Management Interface often exposed to the internet, the scale of potential intrusions remains a major concern for global cybersecurity.

---

Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.