Blog / Automation

74,000 Networks Breached Through One Vendor's Product

Security researchers published a list of 74,000+ compromised Fortinet firewall and VPN devices. Oracle, Samsung, Chevron, Comcast, Siemens, PwC, Accenture, and a Turkish NATO defense contractor were all on it. The thing every company on that list had in common: they all ran the same vendor's product, and it was exposed to the internet. That is the lesson worth understanding for any business that relies on shared software for critical operations.

Brendan Andrew Chase

Brendan Andrew Chase

June 22, 2026  ·  12 min read  ·  Security & Automation

In This Article

  1. 1. What Happened: The Breach in Plain Terms
  2. 2. It Was Not a Zero-Day. It Was a Mass Scan.
  3. 3. The Real Problem Is Shared Software at Scale
  4. 4. This Applies to Your Business Integrations Too
  5. 5. What Custom-Built Integrations Look Like Differently
  6. 6. What We Build and Why It Matters
  7. 7. Frequently Asked Questions

What Happened: The Breach in Plain Terms

In June 2026, SOFX and security researcher Bob Diachenko of SecurityDiscovery.com published findings on a massive compromise of Fortinet FortiGate devices: the firewall and VPN appliances that sit at the edge of corporate networks and control who can connect to what.

The scale: roughly 74,000 devices across 194 countries, covering more than 22,000 corporate domains. The affected organisations included Oracle, Samsung, Chevron, Foxconn, Comcast, Siemens, PwC, Accenture, and a Turkish defense contractor linked to NATO. Classified defense documents were exfiltrated from that last one.

Before getting into what went wrong, it is worth being precise about what kind of attack this was, because it shapes the lesson. This was not a supply chain attack in the classical sense. The attackers did not compromise Fortinet's software distribution pipeline, inject malicious code, or backdoor a vendor update. What they did was significantly less sophisticated, and that is what makes it more instructive.

Source note

The findings reported here come from SOFX, citing security researcher Bob Diachenko (SecurityDiscovery.com), Hudson Rock cybersecurity firm, and independent researcher Kevin Beaumont. We are reporting on their published research, not our own investigation.

It Was Not a Zero-Day. It Was a Mass Scan.

The attack methodology, as reported, did not rely on a previously unknown vulnerability. The attackers mass-scanned the internet for exposed Fortinet FortiGate login endpoints, then deployed credential-spraying tools running 25,000 simultaneous threads. After capturing VPN authentication hashes, they used a 45-GPU cluster to crack them.

This is brute-force infrastructure, not sophisticated exploitation. The attackers did not need to find a clever hole in the software. They found a very large number of identical login pages sitting exposed on the internet, and they hit all of them at once.

That distinction matters enormously. A zero-day attack is difficult to defend against before a patch exists. A mass credential-spraying campaign is, in theory, defendable: stronger authentication, not exposing management interfaces to the public internet, network segmentation. Many of the affected organisations apparently had none of these in place.

But the more important point is this: the reason the attackers could hit 74,000 targets with a single campaign is that all 74,000 targets had the same product in the same configuration on the same publicly routable address space. They shared an attack surface.

The Real Problem Is Shared Software at Scale

When a large number of organisations all run identical software in identical configurations and expose it in identical ways, they become a single target that scales. This is sometimes called vendor monoculture risk. It is not a new concept in security, but this breach illustrates it at a scale that is hard to ignore.

The attackers built one scanner, one credential-spraying tool, one hash-cracking rig, and they pointed it at an enormous homogenous surface. Oracle and a roofing company in Texas had the same login page. A NATO contractor and a mid-size logistics firm had the same authentication mechanism. The attack scaled because the target was uniform.

74,000+

networks compromised in a single campaign targeting one vendor's product

194

countries affected, from Fortune 500 companies to mid-market businesses

0

zero-day vulnerabilities required. Credential spraying and hash cracking were enough.

For small and mid-sized businesses, the reflexive response is often "this is an enterprise problem, not mine." It is not. Automated mass scanners do not distinguish between Oracle's network edge and yours. They scan IP ranges, find the same login pages, and add whatever responds to the target list. Your size does not protect you from a campaign designed to hit everything at once.

The relevant question for any business is: how much of your critical infrastructure and data pipeline runs through shared, mass-market, internet-exposed software? Because every other organisation using the same software is, in a meaningful sense, your breach neighbour.

This Applies to Your Business Integrations Too

Most businesses are not running Fortinet firewalls. But most businesses are running shared SaaS platforms for their integrations, data pipelines, and workflow automation. And those platforms have the same structural characteristic: a very large number of organisations' sensitive business data flows through them, the platforms are internet-facing by design, and a successful attack on the platform affects every customer simultaneously.

Think about what moves through a typical business integration stack:

  • CRM records including every lead, deal, and customer contact you have
  • Revenue data being synced between your accounting system and your ad platforms
  • API credentials and authentication tokens for every connected service
  • Customer order data flowing between your storefront and your ERP
  • Conversion data being uploaded to Google Ads and Microsoft Ads

When that data transits through a shared iPaaS platform, it is sitting on infrastructure that is also handling the same data for thousands of other businesses. The credentials your workflow uses to authenticate with your CRM are stored on that platform's servers alongside the credentials of everyone else using the same connector.

The shared platform risk model vs. the custom build risk model

Factor Shared SaaS Platform Custom Integration
Who can find the attack surface? Anyone scanning known platform domains and IPs Only someone targeting your specific infrastructure
Where are your credentials stored? On the platform's servers, alongside thousands of others In your own environment or secrets manager
If the platform is breached, what happens? Every customer's data and credentials is at risk Your integration is not affected
How discoverable is your integration? Discoverable via the platform's public API endpoints Not discoverable unless you expose it
Scope of access Typically broad, configured through GUI, easy to over-grant Defined in code, explicit, auditable

This does not mean shared platforms are reckless choices. Major iPaaS providers invest heavily in security. The point is structural: when you share a platform with thousands of other businesses, a successful attack on that platform's infrastructure has consequences for all of you simultaneously, regardless of how well-secured your own account settings are.

What Custom-Built Integrations Look Like Differently

A custom-built API integration is not public-facing by default. It does not have a known login page sitting on a well-known domain for attackers to scan. It is not listed on a platform's customer directory. It does not store your credentials alongside thousands of other businesses' credentials.

Here is what changes when you build rather than configure:

1

The attack surface is specific to you, not shared

A custom integration built to connect your CRM to your ad platform has no publicly known interface. Attackers cannot find it by scanning known platform endpoints or searching breach databases for common integration credentials. There is no mass-scan equivalent because there is no shared product to target.

2

Credentials stay in your environment

When a custom script authenticates with your CRM or ERP, those credentials live in your infrastructure, not on a third-party platform's servers. A breach of a SaaS platform you are not using does not expose your authentication tokens.

3

Scope is explicit and minimal

Custom integrations are built to do exactly one job. An integration that reads revenue data from your field service management platform and uploads it to Google Ads does not need, and does not have, write access to your customer records. The scope is defined in code, not in a GUI where it is easy to accidentally over-grant permissions.

4

You are not a target in someone else's breach

If a major iPaaS platform is compromised, the businesses affected are those whose credentials and data were stored on that platform. A custom integration that does not transit through that platform is simply not in scope for that breach.

One caveat that is worth stating clearly: custom-built does not mean invulnerable. Any software can have bugs. Any server can be misconfigured. Any credentials can be stolen if they are stored carelessly. But the risk profile is fundamentally different: instead of sharing a target with tens of thousands of other organisations, your attack surface is specific to you and proportional to your actual footprint.

For most small and mid-sized businesses, that is a meaningfully safer position to be in.

What We Build and Why It Matters

The integrations we build for clients are not configured through a shared cloud dashboard. They are purpose-built to do one specific job, scoped to the minimum permissions that job requires, and deployed in environments that our clients control.

Some examples of what that looks like in practice:

Data extraction without a read API

For a field service management platform with a write-only API, we built a Playwright headless browser that logs in, triggers a revenue report, and routes it downstream. The credential lives in our client's environment. Nothing transits through a shared platform.

Direct system-to-system sync

CRM to ERP syncs, offline conversion uploads to Google Ads, HubSpot to NetSuite pricing pipelines. Built in code, scoped to exactly the fields and records the job requires, running on infrastructure the client controls.

Self-hosted automation

Where n8n fits the use case, we deploy it self-hosted, not on n8n's shared cloud. Your workflows, credentials, and data stay on your own server. You get the automation without the shared infrastructure.

Scoped access by design

Every integration we build is scoped to what it actually needs. An integration that reads order data does not have delete permissions. An agent that drafts email replies cannot send without human approval. Least privilege is built in from the start, not added as an afterthought.

We are not selling security consulting. We are a digital marketing and automation agency. But the architecture decisions we make when building integrations, including where credentials live, how much access each integration gets, and whether your data transits through shared infrastructure, have direct security implications. We take those decisions seriously.

If you are currently running critical business data through shared integration platforms and you want to understand what a custom alternative would look like for your specific setup, that is a conversation worth having.

Want Custom Integrations Built for Your Business?

We scope, build, and maintain custom API integrations and workflow automations that connect your systems directly, without routing sensitive data through shared mass-market platforms. Tell us what you need connected and we will tell you whether a custom build makes sense.

Talk through your setup See workflow automation services

Frequently Asked Questions

Does custom-built mean the integration can't be hacked?

No. Any software can have vulnerabilities. The difference is the risk profile. A shared platform is a single high-value target that, if compromised, exposes every customer simultaneously. A custom integration built for one business is not on any attacker's standard target list, does not appear in mass scans, and a breach of any shared platform you are not using cannot affect it. The goal is not to be invulnerable. The goal is to not be in the blast radius of someone else's breach.

My business isn't Oracle or a NATO contractor. Why would attackers target me?

The FortiGate campaign did not target those organisations specifically. It scanned for any device running FortiGate software and exposed to the internet. Oracle and a small business with the same product appeared on the same list. Mass scanning attacks do not discriminate by company size or revenue. They discriminate by product. If you run the product, you are in scope.

What is the difference between cloud n8n and self-hosted n8n from a security perspective?

Cloud n8n runs on n8n's shared infrastructure. Your workflow definitions, credentials, and execution logs live on their servers. If their infrastructure is compromised, your data is in scope. Self-hosted n8n runs on a server you control, typically a VPS or cloud instance that only you manage. Your credentials are stored in your environment. A breach of n8n's cloud platform does not affect a self-hosted instance. For workflows handling sensitive business data, we build and recommend self-hosted deployments.

Is building custom integrations significantly more expensive than using a shared platform?

The build cost is higher upfront: a custom integration typically runs between $1,500 and $8,000 depending on complexity, compared to a few hours of configuration on a shared platform. The ongoing cost is often lower, since you are not paying per-task or per-operation fees that compound as your volume grows. For workflows processing high-value data, lead revenue, or anything that would be genuinely damaging if exposed, the cost difference is usually the smaller consideration. We cover the full cost breakdown in the workflow automation cost guide.

Should I move everything off shared platforms?

Not necessarily. The question is what data is at stake. A workflow that posts your latest blog article to social media does not need the same security consideration as one that syncs customer payment data or uploads revenue attribution to your ad platforms. We would start by mapping which integrations handle data that would be genuinely damaging if exposed, and looking at those first. Low-stakes workflows can stay on convenient shared platforms. High-stakes ones warrant the custom build conversation.

What kind of integrations does Extra Large Marketing build?

CRM to ERP data syncs, offline conversion pipelines from field service platforms to Google Ads and Microsoft Ads, HubSpot to NetSuite pricing automation, multi-source conversion hubs that combine API data with headless browser extraction, and self-hosted n8n deployments for ongoing workflow automation. The case studies section has documented examples of specific builds including the SingleOps revenue extraction pipeline and the law firm multi-source conversion hub.

Brendan Andrew Chase

Written by

Brendan Andrew Chase

Digital marketing consultant and automation specialist building custom API integrations, AI agents, and workflow systems for SMBs since 2014. 200+ clients served globally. Founder of Extra Large Marketing Digital, based in Rio de Janeiro.