Our Take
The breach is real and serious, but the attackers' poor operational security suggests the exposed database will keep circulating among unrelated threat groups for months.
Why it matters
Firewall VPN access is a direct path to internal networks, and this database contains thousands of targets across defense contractors, telcos, and financial services. Organizations on that list need to assume their credentials have been attempted elsewhere.
Do this week
Security teams: audit firewall authentication logs for lateral movement patterns and password spray attempts from the past 90 days before the breach was discovered.
Attackers cracked thousands of VPN credentials using GPU cluster
A threat group intercepted SSL VPN authentication hashes from multiple organizations and cracked them using a dedicated 45-GPU cluster running Hashtopolis, a password-cracking orchestration tool. The attackers then used the recovered credentials to move laterally into Active Directory and other centralized authentication systems (per Hudson Rock, a threat intelligence firm that discovered the breach).
The cracking methodology was sophisticated. Instead of a single dictionary attack, the attackers ran a 12-level recursive feedback loop. Password candidates came from custom dictionaries with up to eight words, keyboard patterns, and cracking rules. Each successful guess fed back into the system to generate new candidates, meaning the attack improved with each password it cracked.
The exposed database lists thousands of compromised networks across Japan, Taiwan, Vietnam, Iraq, and Turkey. Independent researcher Kimberly Diachenko confirmed full network compromises at multiple organizations, including a Turkish NATO defense contractor from which classified defense documents were exfiltrated. Other named victims include Oracle, Lenovo, FedEx, Foxconn, Samsung, Comcast, Siemens, PwC, and Accenture. Hudson Rock reported that the database also contains data from major government agencies and critical infrastructure providers.
The top countries where compromised devices were found: India, the US, Taiwan, Mexico, Turkey, and Thailand (per Hudson Rock). Top affected industries included IT services, construction materials, telecommunications, construction and engineering, industrial equipment, and financial services.
Amateur mistakes in a sophisticated attack
The attackers left artifacts on the server they used to orchestrate the cracking, operational security errors that would be considered mistakes in hacker circles. This suggests the database has likely been copied and is now circulating among multiple threat actors, not just the original group. Diachenko's finding of the database independently confirms this risk.
Firewalls have been a standard entry point for attackers for years because they sit at network perimeters, accept external connections, and have direct access to internal resources. The combination of stolen VPN credentials, a public database, and poor attacker OPSEC means the window for containment has closed.
Assume your credentials were in the database if your network was targeted
Organizations using Fortinet firewalls should review their access logs immediately for failed authentication attempts and unusual login patterns over the past 90 days. If your organization appears on the victim list or operates critical infrastructure in the affected regions, treat all VPN credentials as potentially compromised and force password resets for all privileged accounts.
The breach is not a vendor vulnerability; it is credential theft at scale through a well-resourced attack. Patching firewalls will not help if the attacker already has valid credentials. Focus instead on detecting lateral movement: unusual Active Directory queries, mass permission changes, and data exfiltration patterns.