Massive Fortinet Breach: What Happened and What We’re Doing About It

June 2026 — If your business uses a Fortinet firewall for remote access (SSL VPN), you need to know about a major security incident that just surfaced. Here’s what we know, what we’ve done, and what you should do next.

The Short Version for Business Leaders

Researchers discovered that attackers compromised approximately 74,000 Fortinet firewalls worldwide — roughly half of all internet-facing FortiGates. The attackers obtained valid login credentials through a massive credential-spraying campaign, then extracted authentication hashes from those devices. They cracked those hashes using a 45-GPU cluster and used the results to access internal networks — including Active Directory, file servers, and sensitive systems.

Affected organizations include Fortune 500 companies, a NATO defense contractor, government agencies, and critical infrastructure providers.

If you have a Fortinet firewall and haven’t changed your VPN passwords recently, consider changing them now. If you don’t have multi-factor authentication (MFA) enabled on your VPN, consider enabling it today.

For the Technical Folks: How This Worked

The threat actors (described as Russian-speaking and criminally motivated) ran a massive distributed credential-spraying operation:

  • Scanned the internet for FortiGate SSL VPN endpoints
  • Used a custom binary with 25,000 threads to spray hundreds of thousands of endpoints with thousands of credential combinations
  • Upon successful authentication, intercepted SSL VPN authentication hashes
  • Exfiltrated hashes to a 45-GPU cracking cluster running Hashtopolis
  • Used a feedback-driven, 12-level recursive cracking system with custom dictionaries
  • Used cracked credentials to pivot to centralized authentication (RADIUS, Active Directory)
  • Confirmed full network compromises in Japan, Taiwan, Vietnam, Iraq, and Turkey — including classified document exfiltration from a Turkish NATO contractor

The scale is unprecedented: ~74,000 devices across 21,000+ IP addresses in 194 countries. “Almost all” compromised devices remained online as of June 17 per researcher Kevin Beaumont.

What We Did: MyIT Threatfeed Response

For our MyIT clients with Fortinet firewalls, our Threatfeed system provided immediate protection:

Within minutes of detection:

  • We leveraged aggregate data from our entire managed fleet of firewalls to detect coordinated attack patterns
  • Cross-referenced login attempts across all client environments to identify and block malicious actors before they could establish footholds
  • Automatically synchronized threat intelligence across all managed firewalls in real-time

This collective defense approach specifically countered the distributed credential-spraying phase of the attack — the primary initial vector.

Current monitoring includes:

  • Anomalous VPN authentication patterns across our client base
  • Successful logins from unusual locations or outside normal business hours
  • Indicators of lateral movement following VPN access
  • Emerging attack patterns correlated across multiple client environments

What We Still Don’t Know (Early Stage)

This incident broke on June 17, 2026. Critical details remain unknown:

  • Specific command-and-control (C2) server IPs and domains haven’t been publicly released
  • Complete attacker infrastructure is still being analyzed
  • Full scope of compromised credentials is still emerging
  • Fortinet has not yet published an official PSIRT advisory with IOCs

We are actively monitoring researcher publications (Hudson Rock, SecurityDiscovery, CISA) and will update our defenses as indicators become available — including adding verified C2 infrastructure to our blocklists.

Immediate Action Items

For Everyone:

  1. Change your VPN passwords — especially if they haven’t been changed recently or if you reuse passwords across services
  2. Enable MFA on VPN access — this single step would have prevented this attack entirely
  3. Review recent VPN access logs for unfamiliar IPs or unusual times
  4. Validate your backup and incident response plans — assume compromise is possible and ensure you can recover

Need IT Support for your Home or Business? We’d love to help!

Are you a small to medium sized business looking to leverage technology and enable your business and workforce to work smarter and more efficiently? Do you already have computers, servers, firewalls, VPNs or other technology that you’re not taking full advantage of? Are you looking for an IT Service Provider who understands small to medium sized businesses needs and the challenges that we face that can work with you to grow your business rather than just sell you time?

Cyber Tech Cafe is an IT Service Company with a focus on helping small to medium business get the most out of their technology investment. As a small business ourselves, we understand the challenges you face and have designed our service offerings to help you get the most out of your technology dollar. We offer on-call, as needed support if you just need a quick fix or extra set of hands right now. We also offer maintenance plans that we call “MyIT” that are designed to address the most common concerns (patch management, disaster recovery / backup, log review, etc.) that are based on the number of workstations and servers that you have and have no term contract. We believe that, if you find value in what we’re doing, you’ll find a way to keep us around without a contract saying that you have to.

If you have questions about the MyIT plans or have an IT need that you need addressed right now, let us know. We look forward to the opportunity to earn your business.

Sources

Note: As of publication, Fortinet has not yet published an official PSIRT advisory. We will update this post with additional official sources as they become available.