A security researcher walked into a Russian criminal's command server and found working plaintext credentials for 74,000 Fortinet firewall devices, including Oracle, Chevron, FedEx, a NATO defense contractor, and Fortinet itself, with most still online as of this week.
Roughly half of every corporate firewall that faces the public internet has just been mapped into a Russian-speaking criminal's working password vault, and the credentials for most of those devices were still valid as of this week.
That is the practical upshot of a disclosure published Wednesday by Ars Technica. Security researcher Bob Diachenko of SecurityDiscovery.com obtained direct access to the attackers' command-and-control infrastructure and walked out with a structured database of working logins for about 74,000 Fortinet firewall devices across more than 21,000 IP addresses in 194 countries. The victim list includes Oracle, Chevron, Lenovo, FedEx, a NATO defense contractor, and Fortinet itself. The Ars Technica report is built on Diachenko's findings plus independent corroboration from Kevin Beaumont, a researcher who confirmed with multiple organizations that the credentials were real and that nearly all of the compromised devices were still online as of Wednesday morning. (Ars Technica)
For a reader who has never touched a FortiGate box, a Fortinet firewall is the perimeter appliance that stands between a corporate network and the open internet, inspecting and blocking traffic for everything from a coffee chain's point-of-sale system to a defense contractor's email server. The fact that criminals now hold working logins for half of the world's internet-facing fleet of these boxes is not a data breach in the usual sense. It is a category-wide exposure of a single vendor's installed base, and the credentials are sitting in plaintext, the unencrypted human-readable form, not in hashed form that would at least slow attackers down.
The breach did not come from a Fortinet software flaw. The attackers built a custom 25,000-thread credential-spraying tool, a program that hammers a login page with huge volumes of guessed username and password combinations in parallel, and ran it against FortiGate login endpoints exposed to the internet. Over time, they accumulated the working logins, paired each one with the victim organization's industry, revenue, and employee count, and organized the result into a tradable intelligence database, exactly the kind of structured victim profile that gets handed to ransomware affiliates for follow-on extortion campaigns. (Ars Technica)
The Ars Technica reporting adds a second layer of risk that is easy to miss in the firewall framing. Once inside a corporate network via the perimeter appliance, the attackers in many cases pivoted to the centralized authentication systems that govern logins across the entire enterprise: Microsoft Active Directory, the directory service that decides which employee can do what on a Windows network, and Radius, the central server that authenticates users to switches, VPNs, and Wi-Fi. That means a single stolen FortiGate password can function as the front door to every internal system. It is the reason Beaumont framed the disclosure as a credential database rather than a leak.
The political and competitive stakes are visible in the victim list. Oracle, Chevron, Lenovo, FedEx, a NATO defense contractor, and Fortinet itself all appear in the database. Ars Technica reports that the victims had not all been independently confirmed on the record at publication, and several of the named organizations did not immediately respond to requests for comment. That caveat matters: the exposure is researcher-confirmed at the credential level, not necessarily company-confirmed at the executive level. Treat the company list as a working roster pending direct statements from the named firms. (Ars Technica)
For security teams, the disclosure converts a category of theoretical exposure into a concrete checklist. Diachenko, Beaumont, and Hudson Rock, the threat-intelligence firm that maintains a public search engine for affected domains, all converge on the same short list of immediate steps. Rotate every credential on every FortiGate device, especially local administrator accounts, and assume any password that has been on an internet-facing box for the past year is in someone else's hands. Audit Radius and Active Directory for signs of post-firewall activity: new service accounts, unfamiliar group memberships, and authentication attempts from device subnets that should not normally talk to the directory. Take internet-exposed FortiGate management interfaces off the public internet where operationally possible, and put them behind a VPN or a jump host. The Hudson Rock search engine, linked from the Ars Technica piece, lets a defender check whether their domain appears in the leaked set without waiting for a vendor notification.
The longer question is structural. Fortinet has now weathered a series of disclosed intrusions in which attackers moved from stolen credentials to deep network access, and the same appliance class that guards the corporate perimeter is also the single point of failure when its credentials leak. The dataset is researcher-confirmed, the credentials are working, and the devices are still online. That is not a vulnerability patch problem. It is a credential rotation and exposure-hygiene problem, and the responsible thing to assume, until Fortinet or a regulator says otherwise, is that roughly half of the world's internet-facing Fortinet firewalls are in someone else's hands today.