Tens of thousands of Fortinet firewalls and VPNs used by some of the world’s biggest companies have been compromised in an ongoing hacking campaign, according to two cybersecurity firms. The attacks, which researchers have named FortiBleed, did not require any new or unknown software vulnerability. Instead, hackers broke in using something far simpler: passwords that companies never changed.
According to TechCrunch, cybersecurity firms Hudson Rock and SOCRadar published separate reports this week detailing how the campaign works and how far it has spread. The scale is significant. Hudson Rock found evidence of more than 73,000 unique Fortinet URLs being compromised, while SOCRadar put the number of hacked devices at over 30,000.
The named companies caught up in the breach include some recognizable names. Hudson Rock identified victims including Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC. None of those companies responded to requests for comment. Lenovo acknowledged receipt of the inquiry but said nothing further.
The attack method is straightforward and, frankly, hard to defend against if basic security hygiene has been skipped. Hackers use automated tools to scan the internet for exposed Fortinet devices, then try logging in using lists of passwords that have leaked in previous breaches. Once they get inside a device, it gets worse. As SOCRadar explained in its report: “Once a device is compromised, [the hackers] use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by. Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself.”
That self-reinforcing loop is what makes this campaign particularly hard to contain. Each compromised device becomes a tool for finding the next victim, allowing the operation to grow without hackers needing to do much additional work.
Fortinet spokesperson Tiffany Curci told TechCrunch the company is aware of the campaign and has been looking into it. The company said its analysis suggests the data involved “is a resharing of data from previous incidents, as well as bruteforcing of credentials, and is not related to any recent incident or advisory.” In other words, Fortinet is not pointing to a flaw in its software as the root cause here.
Geographically, the countries with the most affected devices are:
- India
- United States
- Taiwan
- Mexico
The hardest hit industries, according to Hudson Rock, are IT services, construction materials, and telecommunications. SOCRadar also noted that government agencies are among the victims. Both firms believe the group behind the campaign is Russian-speaking, though neither has publicly attributed it to a specific known group.
The campaign was first flagged by security researcher Bob Diachenko over the weekend. Independent researcher Kevin Beaumont followed up on Wednesday with a blog post confirming he had analyzed the data and found it to be legitimate.
What makes FortiBleed stand out from past Fortinet-related attacks is precisely what it does not involve. In previous years, hackers targeting Fortinet devices typically exploited software vulnerabilities, bugs in the code that Fortinet would then patch. This campaign skips all of that. There are no zero-days, no sophisticated exploits, just old passwords and companies that never got around to changing them. That is both less technically impressive and, in some ways, more alarming. It means the solution was always available and simply was not applied.
For any organization running Fortinet devices exposed to the internet, the immediate priorities are clear:
- Rotate all credentials on Fortinet firewalls and VPN gateways immediately
- Cross-check those credentials against known leaked password databases
- Review network logs for signs of unauthorized access or unusual traffic monitoring
- Apply any outstanding Fortinet security patches
This incident fits into a broader pattern that security teams have been warning about for years. Credential reuse and poor password hygiene remain among the most common entry points for attackers, even at large, well-resourced organizations. The tools to carry out these attacks are cheap and widely available. The only thing standing between a company and a compromise is whether someone remembered to change the default password.