What’s a brute-force attack? The tactic behind this week’s Fortinet leak

A brute-force attack is exactly what it sounds like: software guessing username and password combinations over and over until one of them works. Nobody’s sitting there typing — attackers use automated tools that fire off millions, even billions, of guesses at a login page. The Fortinet “FortiBleed” leak that’s been in the news this week reportedly grew out of a campaign that made more than a billion login attempts against FortiGate firewalls, as reported by BleepingComputer.

It keeps working for two simple reasons: people reuse the same passwords across accounts, and plenty of logins sit exposed to the internet with nothing to slow the guessing down. Once an attacker cracks a single account, they’re inside — and from there they go looking for your files, your email and your clients’ data. For an Australian business, a breach that exposes personal information can trigger obligations under the Privacy Act, so a “minor” password guess can turn into a reportable incident.

The good news is that three measures shut brute-force attacks down almost entirely. Multi-factor authentication means a guessed password alone isn’t enough to get in. Account lockouts or rate limiting stop the tool after a handful of failed tries. And long, unique passphrases give the software vastly more to chew through. If any of your logins — VPN, email, remote desktop — face the internet without MFA, that’s the gap to close first.

Not sure which of your logins are exposed? Our team can audit where MFA is missing and quietly shut the easy doors before someone tries them.