Researchers have uncovered a large-scale compromise of Fortinet firewalls that exposed plaintext credentials for nearly 74,000 devices across 194 countries. The breach affects organizations including Oracle, Chevron, Lenovo, FedEx, and Fortinet itself, along with a NATO defense contractor.
Bob Diachenko, a security researcher, discovered the data after accessing the attackers' command-and-control server. The exposed information includes credentials for devices in industries such as IT services, telecommunications, and financial services. Other affected entities listed in the database include Foxconn, Samsung, Comcast, Siemens, PwC, and Accenture.
The attackers, described as Russian-speaking and criminally motivated, used mass scanning and a custom binary to target FortiGate remote login endpoints. They then employed a 45-GPU cluster to crack authentication hashes, enabling lateral movement into systems like Microsoft Active Directory. Kevin Beaumont confirmed that the credentials remain valid and that most compromised devices stayed online as of Wednesday morning.
Hudson Rock researchers noted that classified defense documents were exfiltrated from a Turkish NATO contractor. The compromised devices represent roughly half of all Internet-facing Fortinet firewalls. Diachenko, Beaumont, and Hudson Rock urged affected organizations to check their networks immediately.