Hackers Compromised 73,000 Fortinet Firewalls in Global Credential-Theft Campaign

A large-scale cybercriminal campaign has compromised more than 73,000 Fortinet firewall and VPN devices across the globe, with confirmed victims spanning some of the world's largest enterprises. The operation, which researchers have labeled "FortiBleed," used automated scanning tools to identify exposed Fortinet devices and then exploited previously known credentials — not new vulnerabilities — to gain access.

How the Attack Worked

Rather than relying on zero-day exploits, the attackers built a self-reinforcing loop: automated scanners searched the internet for exposed Fortinet devices, tried known leaked passwords to gain entry, and then used their access to harvest fresh credentials from inside each network. Those newly collected credentials were fed back into the scanning operation to compromise additional targets, amplifying the campaign's reach over time.

Security research firm Hudson Rock identified more than 73,000 unique compromised Fortinet URLs, while SOCRadar independently confirmed more than 30,000 hacked devices — suggesting the full scale may fall somewhere between those estimates or that both researchers are looking at partially overlapping datasets from different sources.

Who Was Affected

The countries most affected are India, the United States, Taiwan, and Mexico. Industries hit hardest include IT services, telecommunications, construction materials, and government agencies. Among the confirmed victims are Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC — a cross-section of major global enterprises that rely on Fortinet products for perimeter network security.

The attackers gained access to credentials and were able to monitor traffic passing through the compromised devices, giving them a persistent foothold inside affected corporate networks.

Fortinet's Response

Fortinet downplayed the severity of the campaign. A company spokesperson told TechCrunch the firm "is aware of a reported third-party credential-harvesting campaign" but characterized the incident as "a resharing of data from previous incidents, as well as bruteforcing of credentials," adding that it was "not related to any recent incident or advisory." The company did not address the scale of confirmed corporate victims or the credential-loop amplification technique.

What This Means for Enterprise Security

The Fortinet campaign underscores a persistent blind spot in enterprise security: perimeter devices — firewalls, VPNs, and network appliances — are often the least-patched systems in an organization. They sit at the network edge, exposed to the internet, yet many organizations fail to rotate credentials regularly or monitor for unauthorized access on these devices specifically. When an attacker compromises a firewall, they gain a privileged vantage point to observe all traffic passing through the network, including authentication sessions and sensitive data.

Security teams should audit all Fortinet devices for signs of unauthorized access, rotate credentials on any potentially exposed devices, and enable multi-factor authentication on VPN access wherever possible. The incident was originally reported by Lorenzo Franceschi-Bicchierai at TechCrunch.