Massive Credential Leak Reportedly Hits 75,000 Fortinet Firewalls Worldwide

Organisations using Fortinet firewalls are being urged to take immediate action after security researchers reported a large-scale credential-stealing incident involving around 75,000 Fortinet firewall devices.

According to the reports, attackers managed to obtain login credentials linked to Fortinet devices used by organisations across 194 countries. In some cases, the stolen credentials may have allowed intruders to move deeper into corporate networks, potentially leading to wider compromise beyond the firewall itself.

The incident is particularly serious because firewalls and VPN gateways often sit at the front door of a company's network. If attackers obtain working administrative or VPN credentials, they may gain remote access into internal systems, depending on how the environment is configured.

Major Global Companies Reportedly Included In The Leak

Security researchers who reviewed the leaked data said the credentials appear to be valid and linked to accounts belonging to a wide range of large organisations. The affected list reportedly includes domains connected to multinational companies such as Foxconn, Samsung, Comcast, Siemens, Lenovo, FedEx, PwC, Accenture, Oracle, and many others.

Hudson Rock, which analysed the dataset, said the leak affects 21,632 unique domains. The security firm described the scale of the incident as extremely broad, touching nearly every major sector of the global economy.

The concern is not just that passwords were leaked, but that the attackers may have collected a verified database of working credentials. That makes the situation more dangerous because criminals may not need to guess or brute-force their way in if the credentials are still valid.

Why Fortinet Credentials Are So Valuable To Attackers

Fortinet firewalls, especially FortiGate devices, are commonly used by businesses, government agencies, service providers, and large enterprises. Many organisations also use them for SSL VPN access, allowing employees or administrators to connect remotely into company networks.

That makes stolen Fortinet credentials highly valuable. With the right access, attackers may be able to:

For this reason, organisations should treat exposed firewall or VPN credentials as a high-priority security incident, not just a routine password issue.

Researchers Say The Data Appears Legitimate

Several security researchers have said the leaked data appears to be real. Security researcher Volodymyr "Bob" Diachenko, who first highlighted the intrusions, attributed the activity to a Russian-speaking threat group.

According to Diachenko, the group allegedly intercepted SSL VPN authentication data, cracked password hashes using a large GPU-powered setup, and then used the credentials to pivot into internal Active Directory environments.

He also claimed that the operation involved a very large number of credential attempts, including over a billion attempts against FortiGate targets and billions more against Microsoft SQL Server targets.

Security researcher Kevin Beaumont also reviewed samples of the stolen data and said the credentials were legitimate. He noted that he had worked with some of the listed organisations and could confirm that some of the logins and passwords were real.

One of the more worrying claims is that many of the affected Fortinet devices were not necessarily outdated. Beaumont reportedly observed that some sampled devices were running fairly recent patches, suggesting the issue may not be limited only to old or neglected systems.

A Large Share Of Internet-Facing Fortinet Devices May Be Affected

Based on Shodan data referenced in the report, the number of affected Fortinet firewalls may represent about half of all internet-facing Fortinet firewall devices. That is a very large exposure surface, especially if many of those devices remain online and reachable from the internet.

This is why the immediate recommendation is simple: organisations using Fortinet devices should not wait for further confirmation before reviewing their exposure.

At minimum, administrators should urgently rotate all passwords linked to Fortinet VPN and administrative interfaces. They should also confirm that multi-factor authentication is enabled, especially for remote access and administrator accounts.

Fortinet Says The Data Is Not From A New Breach

After the report was published, Fortinet responded by saying that the data does not appear to come from a new incident. According to the company, its analysis suggests that the data is a resharing of information from previous incidents, combined with brute-forced credentials.

Fortinet also said the matter is not linked to any recent advisory. The company added that organisations following routine security best practices, including regular credential rotation, should face minimal risk from the credential details referenced in the report.

That response is important because it suggests this may not be a newly discovered Fortinet vulnerability. However, even if the data comes from older breaches or previous credential theft, the risk remains real if organisations have not changed their passwords since then.

Old stolen credentials can still be dangerous if they are still active.

Why This Still Matters Even If The Data Is Old

One common mistake in cybersecurity is assuming that old leaks no longer matter. In reality, many organisations reuse credentials, delay password rotation, or forget to remove old accounts. Attackers know this, which is why previously stolen data often continues to be useful long after it first appears online.

If a leaked Fortinet password still works, it does not matter whether it was stolen yesterday or months ago. The attacker still has a possible way in.

This is especially risky for VPN and firewall accounts because they can provide direct access to internal networks. A single valid login could be enough to start a much larger attack.

What Organisations Should Do Now

Organisations using Fortinet firewalls should treat this as an urgent reminder to harden their remote access environment. Even if they do not appear on any affected list, the scale of the reported leak makes it worth reviewing firewall security immediately.

Recommended actions include:

For larger organisations, this should also involve incident response teams, identity teams, and network security teams working together. Changing passwords alone may not be enough if attackers already accessed the network.

The Bigger Lesson For Firewall And VPN Security

This incident highlights a broader problem in enterprise security. Firewalls, VPN appliances, and remote access systems are often treated as trusted infrastructure, but they are also prime targets for attackers.

Once attackers obtain valid credentials for these systems, they may be able to bypass many traditional security controls because their activity can appear like normal user or administrator access.

That is why password hygiene, MFA, logging, patching, and access restrictions are no longer optional. They are essential controls for any internet-facing security appliance.

A Serious Warning For Fortinet Users

Whether this dataset comes from a fresh compromise or older credential leaks being recirculated, the message for Fortinet users is the same: assume credentials may be exposed and act quickly.

Security teams should rotate passwords, verify MFA, review logs, and check for signs of compromise. The longer exposed credentials remain active, the more opportunity attackers have to use them.

For organisations that rely on Fortinet devices for VPN or firewall access, this is not just a firewall issue. It could become a full network security incident if stolen credentials are used to move deeper into internal systems.