Skip to content
Tech News
← Back to articles

Sweeping Credential-Harvesting Heist Compromises +30K Fortinet Devices

2026-06-17 | original
read original more articles
Why This Matters

This large-scale credential-harvesting campaign highlights the persistent vulnerabilities in enterprise security, especially for critical infrastructure and government organizations. The widespread compromise of over 30,000 Fortinet devices underscores the importance of robust credential management and proactive security measures to prevent cyber espionage and data breaches. For consumers and organizations alike, it serves as a stark reminder to prioritize cybersecurity hygiene and monitor for unauthorized access.

Key Takeaways

A large-scale cyber espionage and credential-harvesting operation is actively targeting Fortinet firewalls and VPN gateways, and has already compromised more than 30,000 Internet-facing devices across nearly 200 countries.

Researchers from SOCRadar discovered the campaign, which they believe is the work of a Russian-speaking threat actors, when they found an exposed operational server belonging to attackers. This gave them visibility into the group's tooling, victim database, automation infrastructure, and verified credential repository, according to a report published Tuesday.

"The attacker’s database contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries," according to the report. "These are not random guesses. These are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock."

Related:Fileless Phantom Stealer Targets Browser Credentials

Take the Threat Seriously

SOCRadar emphasized that they did not find any evidence of exploitation of a Fortinet flaw in the operation and are considering it strictly as a credential-compromise campaign, one that should be taken seriously, according to the report.

The compromised devices so far comprise 21,108 unique IP addresses and 8,316 unique domains across government, telecommunications, healthcare, education, financial services, and critical infrastructure sectors, the researchers found. Among those, telecommunications accounted for over 5,600 compromised devices, while government organizations represented 591across 111 domains.

Enterprise organizations generating more than $1 billion in annual revenue comprised over 20% of affected devices, while India and the United States reportedly accounted for nearly one-third of all identified credential comprises, although affected organizations were found across Asia, Europe, the Americas, Africa, and the Middle East.

Targeting Security Weaknesses

Analysis found that the firewalls and VPNs compromised often demonstrated security weaknesses in the targeted network infrastructure, the researchers found. Many were either generic administrator accounts, default or built-in Fortinet system accounts, or long-lived accounts with passwords that had never been rotated after previous breaches, they said.

... continue reading

Explore topics: fortinet vpn gateways cyber espionage socradar credential theft
Related:
Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices
FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices.
Critical Fortinet FortiSandbox flaws now exploited in attacks
Hackers exploit FortiClient EMS flaw to push infostealer malware
The attack dominating financial services doesn't steal passwords. It resets MFA and steals the token.

© 2026 GoKawiil

About | Editorial Policy | Contact