Daylila

Cybersecurity · Saturday, 20 June 2026

01 · Briefing · what happened

86,000 firewalls fell because nobody changed the factory password

Cybersecurity 3 min 46 sources

A global campaign called FortiBleed broke into 86,644 Fortinet firewalls — the guards at the edge of company networks. The attackers didn't crack anything. They logged in with default and reused passwords that were never changed.

Key takeaways

  • A campaign called FortiBleed reached 86,644 Fortinet firewalls by logging in with default and leaked passwords — not by exploiting a clever flaw.
  • More than a third of the compromised accounts were factory logins nobody renamed; another third were reused passwords from old breaches that were never changed.
  • The fix is unglamorous and free: change any default password your devices shipped with, and don't reuse a password that has already leaked somewhere.

The U.S. cyber-defence agency CISA spent Thursday urging companies to lock down their Fortinet firewalls, after a sweeping campaign reached 86,644 of them and counting [1]. The devices are FortiGate appliances — the firewall and VPN gateway that sits at the edge of a network and decides who gets in. The campaign has a name, FortiBleed, and it is believed to be the work of Russian-speaking criminals [1].

Here is the part worth sitting with: the attackers did not break anything. They logged in.

What actually happened

The method was credential stuffing — taking lists of usernames and passwords and trying them, at scale, against every Fortinet login page exposed to the internet [1]. Credential stuffing works only when the passwords are real. And they were.

The attack ran on its own. The tool tried a curated list of leaked Fortinet passwords against devices across the internet. Once it got into one, it quietly watched the traffic passing through to harvest more credentials, then used those to break into more devices [1]. Every working login was verified and added to a database. The security firm Hudson Rock said the attackers “have built a verified database of working credentials for some of the largest enterprises on the planet” [1].

Telecom, government, and education were hit hardest, with the most exposed devices in India, the U.S., Mexico, Colombia, and Thailand [1].

Why the passwords worked

This is the mechanism. According to data from SOCRadar, 35% of the compromised accounts were generic admin logins and 28.3% were built-in factory accounts that ship with the device [1]. SOCRadar put it plainly: it “points directly to a widespread failure to rename default accounts or rotate factory credentials” [1]. In other words, the firewall arrived with a lock, and a person never changed the key.

The remaining 36.7% were accounts the organisations created themselves — compromised, SOCRadar said, because passwords from earlier breaches “were never changed” [1].

There is a technical thread too. When older FortiGate devices were upgraded, their admin passwords stayed stored with an older, weaker scrambling method until the admin next logged in — which the security firm Arctic Wolf says left many organisations storing credentials in a form easier to abuse [1]. Fortinet, for its part, said the data is “likely a resharing” of credentials from past incidents [1]. Either way, the front door opened because nobody had changed the key behind it.

What to do

If you run anything that arrived with a default login — a router, a camera, a smart-home hub, a work device — the single highest-value thing you can do is change that factory password. It takes under a minute and it is the step this entire campaign depended on people skipping. And if a password of yours leaked in an old breach, it is not safe anywhere you reused it. Change it there too. That is how one old breach becomes a new one.

Elsewhere this week

Apple shipped a patch for a flaw in its Beats earbuds that could have let someone eavesdrop, part of a batch of fixes worth installing whenever your devices prompt you [3]. And researchers flagged a new piece of malware called CryptoBandits that hides its communications inside Tor traffic to stay invisible while it sits on an infected machine [2] — a reminder that the goal of most intrusions is to stay quiet, not loud.

One line from a security webinar summed up the whole week better than any threat report: “Today’s attackers are no longer breaking in — they’re logging in.” [2] The walls are not the weak part anymore. The keys are.

02 · Lesson · why it matters

The strongest lock is only as good as whoever changed the key

A firewall is a wall built by engineers and handed to a person — and the person is the part that fails.

A machine did its job perfectly

Picture the firewall in the FortiBleed story. It is a serious piece of engineering. Teams of people spent years making it hard to break. By most measures, it worked — 86,644 of them, and not one was cracked.

They were logged into. With the password that came in the box.

Hold those two facts together. The hardest part of the system — the code, the cryptography, the wall itself — held. The easiest part failed. A person, somewhere, unboxed a firewall, plugged it in, and never changed the factory login. That single skipped step is what let a criminal group build a verified list of working keys to some of the largest companies on Earth.

Security has a soft layer, and it isn’t the code

There is a habit of thinking about security as a contest of machines. Stronger encryption versus faster cracking. Better walls versus cleverer tunnels. That contest is real, and the defenders are mostly winning it.

But every wall has a gate, and every gate has a person who decides how it’s set up and who’s allowed through. That person is the soft layer. Not because they’re careless — because they’re human, and a human carries a thousand small jobs and forgets one. Renaming a default account is a thirty-second task that protects nothing visible today. So it waits. And waits.

The attacker knows this. They didn’t go looking for a flaw in the steel. They went looking for the gate someone forgot to lock — and they automated the search across the whole internet at once.

”They’re no longer breaking in — they’re logging in”

A security webinar this week put it in one sentence: attackers aren’t breaking in anymore, they’re logging in. It sounds like wordplay. It’s the entire shift.

Breaking in means defeating the defence. Logging in means using it as intended — with a key that should have been changed and wasn’t, or a password that leaked years ago and was reused. The defence never gets tested. It gets walked around, through the human-shaped opening every system has.

This is why the same trick works as a phone call. An attacker who rings a help desk, sounds calm and official, and asks for a password reset is doing exactly what FortiBleed did — routing around the lock by asking a person nicely. The strongest authentication in the world means nothing if a human can be talked into opening the door. The lock guards against strangers. It was never designed to guard against being asked politely.

You are the perimeter too

It is tempting to read this as a story about lazy administrators at big firms. It isn’t. The mechanism is the same one that reaches your kitchen.

Your router shipped with a default password. Your camera, your smart speaker, your work laptop — each arrived with a key someone is supposed to change. Each is a small gate. The same automated tools that scanned for forgotten firewalls scan for forgotten home devices, because the failure is identical: a human meant to do a small thing and didn’t.

And the reused password is the most human failure of all. We reuse because remembering is hard, and the cost of reusing feels like nothing — until one of those sites leaks, and the leak quietly becomes a key to all the others. The breach you never heard about three years ago is, right now, sitting in a database the attacker verifies one login at a time.

What seeing the whole leaves you with

The lesson isn’t that people are the weak link, said with a sigh. It’s that people are the perimeter — the actual edge of every secure system, the place where the engineered part meets the world. No amount of better code moves that edge somewhere safer. It moves with the person.

That should sit a little uncomfortably, because it includes you. Not as a spectator reading about distant firewalls, but as one more gate on the same internet the attackers are scanning right now. The engineers gave you a strong lock. Whether it holds was never up to them. It was always up to whoever changed the key — and that has your name on it more often than you’d think.

03 · Lab · your turn

Harden the Edge

Rehearse setting up a new device and watch how the human steps you skip — not the engineering — decide whether the door holds.

04 · Hope · carry this

The same fact that makes us the weak point makes us the fix: the strongest defence this week cost nothing and took thirty seconds, and it was always in ordinary hands. We are not waiting on better engineering to be safer — we already hold the key.

More from Cybersecurity

The breach came through an app the company plugged in itself Ransomware crew hid inside a US firm for months, disguising its traffic as Microsoft Teams The FBI says crypto scammers now send couriers to your door for cash

Across the beats

A $140 billion chocolate industry still can't pay its farmers a living wage Sony quietly slams the door on PC, betting your PlayStation library is the wall you won't climb One game in, the World Cup makes no sense — and the data says wait