Credential Harvesting at Fortinet Scale: 75,000 Devices, 194 Countries, and the Infrastructure Gap Nobody Wants to Name

The Numbers Behind the Breach

A Russian-speaking operation has extracted working credentials from approximately 75,000 Fortinet firewall devices across 194 countries, affecting 21,632 unique domains and reaching into the networks of Samsung, Siemens, Comcast, FedEx, Lenovo, Oracle, Accenture, and a Turkish defense contractor working with NATO. The campaign processed 1.16 billion credential attempts against 320,777 FortiGate targets and another 2.1 billion attempts against 163,650 MSSQL servers, according to security researcher Volodymyr Diachenko, who first documented the operation.

The scale is notable not for novelty - credential stuffing and hash cracking are well-worn tactics - but for reach. Device search data suggests the compromised population represents roughly half of all internet-facing Fortinet firewalls, and most of the affected devices remain online. Hudson Rock, which analyzed the dataset, confirmed that the credentials are valid and span nearly every sector of the global economy.

At DailyTechWire, we've tracked perimeter security incidents across Asia-Pacific and EMEA for three years. This event stands out for two reasons: the operational maturity of the adversary - a 45-GPU cluster managed via Hashtopolis for distributed hash cracking - and the fact that many compromised devices were running recent firmware patches. The second point undermines the usual narrative that breaches stem from neglected legacy equipment.

How the Operation Worked

The attackers intercepted SSL VPN authentication traffic, captured password hashes, and used a distributed GPU cluster to crack them. Once inside, they pivoted into internal Active Directory environments, according to Diachenko. In at least four cases, the group achieved full network compromise. One victim, a Turkish NATO defense contractor, lost classified defense documents.

The workflow reflects a shift in adversary economics. GPU clusters for hash cracking are no longer exotic; they are commodity infrastructure. A 45-GPU rig can be assembled or rented for a few thousand dollars per month, and open-source orchestration tools like Hashtopolis make distributed cracking straightforward. The barrier to entry for large-scale credential harvesting has collapsed, and the attack surface - internet-facing VPN endpoints - remains vast.

Security researcher Kevin Beaumont, who independently verified the stolen credentials, noted that the data is legitimate. He confirmed that login credentials and passwords for several organizations on the list are real, and many of the sampled devices are on fairly recent patches. This suggests that the vulnerability lies not in outdated firmware but in credential management practices: weak passwords, lack of multi-factor authentication, or both.

The Vendor Response and the Credibility Problem

Fortinet disputes the timeline. In a statement, the company said the data represents a resharing of information from prior incidents combined with brute-force attacks on credentials, not a new breach. Fortinet emphasized that organizations following routine best practices, including regular credential rotation, face minimal risk.

The framing matters. If the credentials come from prior incidents, the question becomes: why are they still valid? If they come from brute-force attacks, the question becomes: why were the passwords weak enough to crack? Either answer points to systemic failures in credential hygiene, not just vendor security.

At DailyTechWire, we treat vendor statements as data points, not conclusions. Fortinet's March guidance on credential rotation exists, but the presence of 75,000 compromised devices suggests that guidance is not being followed - or that the default configurations and enforcement mechanisms are insufficient. The gap between vendor recommendations and real-world deployment is a recurring theme in enterprise infrastructure, and this incident is a sharp illustration.

The Perimeter Is Already Inside

The operational reality for many enterprises is that the perimeter is porous. VPN endpoints, remote desktop gateways, and firewall management interfaces are exposed to the internet by necessity, and they are targeted continuously. The question is not whether attackers will attempt to harvest credentials - they will - but whether the defenses are layered enough to contain the breach.

Multi-factor authentication is the obvious mitigation, but adoption remains uneven. In environments where MFA is not enforced on administrative interfaces, a single compromised password grants full remote access to the firewall and, by extension, the internal network. Active Directory pivots are trivial once an attacker has a foothold on a trusted device.

The Turkish NATO contractor case is instructive. The attacker did not stop at the firewall. They moved laterally, escalated privileges, and exfiltrated classified documents. This is the standard playbook, and it works because enterprise networks are built on implicit trust. Once you are inside the perimeter, the internal segmentation is often weak, and the monitoring is spotty.

What the Incident Reveals About Infrastructure Priorities

The fact that half of all internet-facing Fortinet firewalls were targeted - and that a significant fraction were compromised - raises questions about infrastructure priorities. Firewalls are supposed to be the first line of defense, yet they are often the least monitored, least audited, and least hardened components of the stack. Administrative interfaces are exposed, credentials are reused, and MFA is treated as optional.

This is not a Fortinet-specific problem. The same patterns appear in Palo Alto, Cisco, and Juniper deployments. The issue is cultural and organizational. Security teams are under-resourced, and infrastructure teams prioritize availability over hardening. The result is a vast attack surface of misconfigured, under-monitored devices that are trivial to compromise once an attacker invests in the right tooling.

At DailyTechWire, we've observed this dynamic across Asia-Pacific, where rapid digital transformation often outpaces security maturity. Enterprises deploy VPN infrastructure to support remote work, but they do not always enforce MFA, rotate credentials regularly, or audit access logs. The gap between deployment and hardening is where attackers operate.

The GPU Economics of Modern Cracking

The use of a 45-GPU cluster is a reminder that the economics of password cracking have shifted. A decade ago, cracking a complex hash required weeks of compute time. Today, a well-configured GPU rig can process billions of hashes in hours. The attackers in this campaign ran 1.16 billion credential attempts against FortiGate devices and 2.1 billion against MSSQL servers - volumes that would have been impractical five years ago.

This has implications for password policy. The old guidance - eight characters, mix of upper, lower, numbers, and symbols - is no longer sufficient against a determined adversary with GPU infrastructure. Passwords need to be longer, and they need to be paired with MFA. The alternative is to assume that any password-protected interface exposed to the internet will eventually be compromised.

The distributed orchestration via Hashtopolis also signals a shift. Attackers are not lone operators; they are running campaigns with operational maturity that rivals legitimate security research. They have tooling, infrastructure, and process. The gap between attacker capability and defender readiness is widening, and incidents like this make the gap visible.

Sectoral Exposure and the NATO Angle

The breach affects enterprises across every sector: manufacturing (Samsung, Lenovo, Foxconn), logistics (FedEx), telecommunications (Comcast), consulting (Accenture), and defense. The inclusion of a Turkish NATO contractor is particularly significant. Classified defense documents are high-value targets, and the compromise suggests that the attackers were not opportunistic - they were deliberate.

NATO supply chains are a known target for state-aligned groups, and the intersection of defense contracting and inadequate credential hygiene is a recurring vulnerability. The Turkish contractor case will likely trigger reviews across allied defense supply chains, but the broader lesson is that no sector is insulated. If a NATO contractor can lose classified documents through a firewall credential breach, then the risk is universal.

The Policy Gap: Mandates Without Enforcement

The incident highlights a policy gap. Many jurisdictions now mandate baseline security controls - regular patching, MFA, incident disclosure - but enforcement is weak, and compliance is often performative. Enterprises check boxes, file reports, and move on. The actual hardening work - auditing exposed interfaces, rotating credentials, enforcing MFA - does not happen, or happens inconsistently.

At DailyTechWire, we've followed the evolution of cybersecurity mandates across Singapore, South Korea, and the EU. The regulatory frameworks are maturing, but the gap between policy and practice remains wide. This incident will likely be cited in future policy discussions, but unless enforcement mechanisms improve, the pattern will repeat.

The challenge is that infrastructure security is invisible until it fails. There is no business case for hardening a firewall that is already "working." The cost is upfront, the benefit is hypothetical, and the stakeholders are different. Security teams propose changes, infrastructure teams push back, and the status quo persists - until an incident forces action.

What Organizations Should Do Now

If your organization runs Fortinet firewalls - or any internet-facing VPN or firewall management interface - the immediate actions are straightforward. Rotate all passwords associated with VPN and administrative interfaces. Enforce multi-factor authentication on every remote access point. Audit access logs for anomalous activity, particularly successful logins from unexpected geographies or IP ranges.

The broader actions are harder. Conduct a full inventory of internet-facing devices. Identify which ones have administrative interfaces exposed. Implement network segmentation so that a compromised perimeter device does not grant access to the entire internal network. Move to certificate-based authentication where possible, and treat passwords as a fallback, not a primary control.

For organizations that were named in the breach, the calculus is different. Assume full compromise. Rotate credentials across the board, not just on the firewall. Hunt for lateral movement in Active Directory logs. Engage forensics if classified or sensitive data was accessible from compromised systems. The presence of your domain in the dataset does not mean the attacker moved beyond the firewall, but it means they could have.

The Long Tail of Credential Reuse

One under-discussed aspect of large-scale credential breaches is reuse. Employees and administrators often use the same passwords across multiple systems. A compromised Fortinet VPN password may also unlock an email account, a cloud console, or a SaaS admin panel. The attackers in this campaign have 75,000 valid credentials, and they will test them everywhere.

This is the long tail of the breach. The immediate impact is access to the firewall. The secondary impact is access to everything else those credentials unlock. Organizations that were compromised should assume that the stolen credentials will be tested against every service their employees use, from Office 365 to AWS to internal applications. The mitigation is forced password resets across the board and vigilant monitoring for credential stuffing attempts.

The Infrastructure Debt No One Wants to Pay

This incident is a symptom of infrastructure debt. Enterprises deploy technology faster than they can secure it. Firewalls, VPNs, and remote access gateways are stood up to meet business needs - remote work, partner access, cloud migration - but the hardening and monitoring lag behind. The result is a sprawling attack surface of devices that are nominally protected but practically vulnerable.

At DailyTechWire, we see this pattern across sectors and regions. The pressure to deploy is constant; the pressure to harden is episodic. Security initiatives are funded after breaches, not before them. The industry has known for years that exposed management interfaces and weak credentials are a liability, yet here we are, with 75,000 compromised devices and credentials for some of the largest enterprises on the planet circulating in adversary hands.

The fix is not technical - it is organizational. Security must be embedded in deployment from the start, not bolted on after the fact. Credential hygiene, MFA, segmentation, and monitoring must be non-negotiable, not optional. Until that shift happens, incidents like this will continue to recur, and the scale will only grow.