The Firewall That Let Them In: How 74,000 Devices Became a Backdoor to the Global Economy

The Firewall That Let Them In

It’s not a zero-day. It’s not a supply chain. It’s not even a clever exploit.

It’s just… a password.

And not just any password. It’s the one your IT team used because it was easy to remember. The one that’s still in use because no one ever got around to rotating it. The one that got cracked in 17 seconds by a 45-GPU cluster running on a rented server in a Moldovan data center.

We’re talking about 74,000 Fortinet firewalls—half of all internet-facing ones—breached. Not hacked. Not penetrated. Breached. As in: the keys were handed over. And they’re still in use. Right now. While you read this, someone’s logging into your CFO’s VPN session. Or pivoting from your firewall to your Active Directory. Or downloading classified documents from a NATO contractor in Istanbul.

This isn’t a breach you fix with a patch. This is a breach you fix by admitting your perimeter isn’t a wall. It’s a screen door.

And the attackers? They didn’t need to be geniuses. They just needed to be patient. And stupidly, terrifyingly, efficient.

Let me tell you how they did it. And why you’re still at risk—even if you think you’re secure.

The Researcher Who Found the Keys

Bob Diachenko didn’t set out to uncover the largest firewall breach in history.

He was debugging his own tool when he hit a misconfigured C2 server. Just a typo in the URL. One wrong character. And suddenly—he was inside.

Not a honeypot. Not a decoy. The real thing.

Inside, he found plaintext credentials. SSL VPN hashes. Logs showing exfiltrated files from a Turkish defense contractor. And a spreadsheet—yes, a goddamn spreadsheet—listing every compromised organization: Oracle, Chevron, FedEx, Siemens, PwC, Foxconn. Even Fortinet itself.

He called Kevin Beaumont. Beaumont called Hudson Rock. And within hours, the world realized: this wasn’t a leak. It was a dump. A live, unencrypted, fully searchable database of working credentials for half the global enterprise perimeter.

"The scale is the sophistication," Diachenko told Ars Technica. And you could hear the exhaustion in his voice. Not because it was complex. But because it was so simple. They didn’t need to break in. They just needed to try hard enough.

And they did.

For 14 months. 25,000 threads. 12 recursive cracking levels. A feedback loop where every successful crack made the next one easier.

It wasn’t a hack. It was a system.

And it worked because nobody believed it could.

How They Broke In: Not With a Hammer, But With a Spoon

Here’s the brutal truth: the attackers didn’t exploit a flaw in Fortinet.

They exploited us.

Step 1: They scanned. Not with fancy tools. Just Shodan. Nmap. A few lines of Python. They looked for /remote/login endpoints. That’s it. No magic. Just the fact that every FortiGate device has one.

Step 2: They sprayed. 25,000 threads. Each one trying a different username/password combo. They didn’t care about lockouts. They didn’t care about alerts. They had 74,000 targets. If one in 1,000 worked, they won.

And they used the same passwords you’ve been using since 2019:

• Fall2024!
• Winter2025#
• QWERTY!
• P@ssw0rd123
• John2024
• Sarah2025

You think your admin password is unique? It’s not. Not anymore. It’s in a dictionary. And that dictionary just got bigger.

Step 3: They intercepted. Once inside, they didn’t log in as an admin. They listened. SSL VPN handshakes leave hashes in memory. Weak ones. Unencrypted ones. They grabbed them. Offline. No alerts. No timeouts.

Step 4: They cracked. With 45 GPUs. Hashtopolis. A feedback loop that turned every successful crack into a new guess. Winter2024! → winter2024! → Winter2024!! → Winter2024@ → Winter2024!QWERTY

Each success fed the next. Each failure taught them something new. This wasn’t brute force. It was machine learning with passwords.

And Step 5? They moved. From firewall → Radius → AD → domain controller. In under 30 minutes. Because your firewall uses your AD password. And your AD password is the same one your intern used for her Netflix account.

This wasn’t a cyberattack.

It was a password audit—conducted by people who never had to ask for permission.

Who Got Hit? (Spoiler: It’s Not Who You Think)

If you think this only hit big banks or defense contractors, you’re wrong.

The top affected countries?

• India: IT services, MSPs, telecoms
• United States: Fortune 500s, energy, logistics
• Taiwan: TSMC suppliers, semiconductor fabs
• Mexico: Construction, heavy machinery
• Turkey: Critical infrastructure—and that NATO contractor
• Thailand: Automotive assembly lines

The sectors?

• IT services (MSPs with 500+ clients)
• Construction materials
• Telecommunications
• Financial services
• Industrial automation (Siemens, Rockwell)
• Defense contractors

And the companies?

Oracle. Chevron. FedEx. Lenovo. Samsung. Comcast. PwC. Accenture. Foxconn. Siemens.

Hudson Rock called it a "verified database of working credentials for some of the largest enterprises on the planet."

And here’s the kicker: they didn’t just get the passwords. They got who used them. Employee count. Revenue. Industry. Location.

This wasn’t a breach. It was a corporate reconnaissance mission.

And it’s still running. Because 74,000 devices are still online. And no one’s patched them.

You think you’re safe because you don’t use Fortinet? Think again. Your vendor does. Your cloud provider does. Your MSP does.

And if they’re compromised, so are you.

Why the Attackers Got Away With It

Here’s the real horror story: the attackers were amateurs.

They left logs. Debug strings. Unredacted dumps. Their C2 server was a mess. In red-team circles, this would’ve gotten them kicked out of the club.

But they didn’t need to be stealthy.

They needed to be persistent.

They didn’t care if you saw them. They just needed you to not act.

And you didn’t.

Why?

Because your SIEM alerts only trigger after 10 failed logins from the same IP. Not 50 IPs with 1,000 attempts each.

Because your FortiGate has Fail2Ban disabled. "We don’t need it," your network team says. "It’s behind the firewall."

Because your admin accounts don’t have MFA. "It slows things down."

Because your firewall talks directly to your AD. "It’s always worked."

Because you think brute force = easy to detect.

It’s not.

Not when you’re doing it at 25,000 threads.

Not when you’re learning from every failure.

Not when you’re not trying to break in.

You’re just trying to log in.

And that’s the most dangerous thing of all.

Because you can’t defend against something you refuse to believe is possible.

What You Need to Do—Right Now

I’m not going to give you fluff. No "consider implementing". No "best practices". This is a fire. Here’s how you put it out.

This hour:

• Go to Hudson Rock’s search tool. Type in your domain. If it shows up? Assume you’re compromised. No if’s, and’s, or but’s.
• Check your firewall logs for repeated logins from unknown geographies. Look for RADIUS authentication spikes. Look for AD logins from non-domain devices.

Today:

• Rotate every SSL VPN credential. Even the ones you think are unused. Even the ones for "legacy systems". Even the ones your vendor said "we’ll handle."
• Enforce hardware tokens on every admin account. No exceptions. Not even for "trusted" employees.
• Disable direct firewall-to-AD connections. Segment. Isolate. Assume breach.

This week:

• Replace every FortiGate that’s internet-facing. Not update. Not patch. Replace. You don’t know what’s in there.
• Implement zero-trust for remote access: MFA + device health + time-limited sessions. No more "always-on" VPNs.
• Audit every vendor who uses Fortinet. If they’re compromised, you’re compromised.

And if you’re still using Fall2024!? You’re not just vulnerable. You’re asking for it.

This isn’t about technology. It’s about discipline.

And right now? Most organizations don’t have any.

The Real Lesson: Brute Force Isn’t Dead. It’s Evolved.

We’ve been taught that APTs are sophisticated. That nation-states use zero-days. That the bad guys are geniuses.

This attack proves the opposite.

The attackers didn’t use AI. Didn’t use ransomware. Didn’t use phishing.

They used the same tools you’ve had since 2015: Nmap. Shodan. Hashtopolis. A spreadsheet.

They didn’t need to be smart. They just needed to be consistent.

And that’s the real danger.

Because the next attacker won’t be a Russian-speaking gang. It’ll be a teenager with a $200 GPU rig and a GitHub repo full of password lists.

And they’ll do it faster. Cheaper. Better.

This breach didn’t happen because of a flaw in Fortinet.

It happened because we stopped believing that the basics matter.

We thought patching was enough. We thought firewalls were walls. We thought MFA was optional.

We were wrong.

The firewall didn’t fail.

We did.

And until we admit that? This isn’t the last breach.

It’s the first of many.