Intruders somehow gained access to around 75,000 Fortinet firewall devices and stole credentials belonging to major corporations across 194 countries, in some cases leading to full network compromise.
Hudson Rock's tally: 21,632 unique domains and a "verified database"
Security shop Hudson Rock, writing on its Infostealer blog, said the leak affects 21,632 unique domains and warned of the breadth of the compromise: “The scale of this breach touches nearly every sector of the global economy, sparing no industry. The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet.” Hudson Rock’s analysis was cited as part of reporting that traced the incident to what writers called the FortiBleed campaign.
Volodymyr “Bob” Diachenko: method, volume, and attribution
Researcher Volodymyr “Bob” Diachenko, who first spotted the intrusions, attributed the operation to a Russian-speaking group and described the actors’ methods on LinkedIn: “They intercept SSL VPN authentication, crack hashes on a 45-GPU cluster managed via Hashtopolis, and pivot into internal Active Directory environments.” Diachenko provided large-scale activity counts: the operation processed 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 MSSQL servers. He also reported that the criminals fully pwned at least four organizations, and in one case — a Turkish NATO defense contractor — stole classified defense documents.
Kevin Beaumont: independent verification and device status
Security sleuth Kevin Beaumont verified the stolen credentials and wrote plainly that “the data is legit.” Beaumont added that he had worked with several organizations listed in the data and could confirm logins and passwords were real. He also noted an unsettling operational detail: many of the compromised Fortinet devices remain online, and many of the devices sampled were on fairly recent patches.
Scale, affected enterprises, and immediate remediation steps
Reporting identified multinational enterprises among those whose credentials appear in the stolen data, naming FoxConn, Samsung, Comcast, Siemens, Lenovo, FedEx, PxW, Accenture and Oracle, among “many others.” According to device search engine Shodan, the heist comprises about half of all internet-facing Fortinet firewalls. The Register said it reached out to Fortinet and the companies affected by the so‑called FortiBleed campaign for comment and did not receive a response; the story noted it would be updated if any responses arrived.
The published coverage delivered direct, concrete remediation guidance drawn from the same sources: stop and change Fortinet passwords immediately; “immediately rotate all passwords associated with Fortinet VPN and administrative interfaces”; and turn on multi-factor authentication, because the credential leak can “lead to very serious consequences, giving attackers full, remote access to not only the firewall but the entire corporate network.”
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: verify whether your organization appears among the 21,632 affected domains, rotate passwords for Fortinet VPN and admin interfaces, and enable multi-factor authentication as reported countermeasures.
- Affected enterprises and procurement leaders: treat exposed firewall credentials as a potential vector for full network compromise — the reporting documents at least four total network takeovers and theft of classified defense documents in one case — and plan incident response, forensic review, and credential re-issuance accordingly.
- End users and the general public: organizations named in the breach include major consumer-facing companies; stolen firewall credentials can enable attackers to access internal networks, increasing the risk that personal or classified data held behind those networks may have been exposed.
Concrete facts in the record today: roughly 75,000 Fortinet devices accessed, 21,632 domains affected, activity measured in billions of credential attempts, confirmation from independent researchers that the data is real, and at least four full compromises with one involving classified documents. The simplest immediate action the reporting offers is unambiguous: if your organization uses Fortinet VPN or administrative interfaces, stop reading and rotate those credentials now, and enable multi-factor authentication. The Register said it will update the piece if Fortinet or affected companies respond; until then, defenders must act on the verified database and the verification provided by multiple researchers.
