Threat Intel Solutions

* [Сloud Security](/cloud-security)* [Cyberattacks -& Data Breaches](/cyberattacks-data-breaches)* [Threat Intelligence](/threat-intelligence)Fortinet Confirms Customer Data Breach via Third Party Fortinet Confirms Customer Data Breach via Third Party=============================================================================================================The incident is a reminder why organizations need to pay attention to how they store and secure data in SaaS and cloud environments.  [Jai Vijayan, Contributing Writer](/author/jai-vijayan)September 13, 2024 5 Min Read  Source: JHVEPhoto via Shutterstock [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cloud-security/fortinet-customer-data-breach-third-party)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cloud-security/fortinet-customer-data-breach-third-party)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cloud-security/fortinet-customer-data-breach-third-party)[](/cdn-cgi/l/email-protection#a59ad6d0c7cfc0c6d198e3cad7d1cccbc0d185e6cacbc3ccd7c8d685e6d0d6d1cac8c0d785e1c4d1c485e7d7c0c4c6cd85d3ccc485f1cdccd7c185f5c4d7d1dc83c4c8d59ec7cac1dc98ec809795d1cdcad0c2cdd1809795d1cdc0809795c3cac9c9cad2cccbc2809795c3d7cac8809795e1c4d7ce809795f7c0c4c1cccbc2809795c8ccc2cdd1809795cccbd1c0d7c0d6d1809795dccad08b8095e18095e48095e18095e4809795e3cad7d1cccbc0d1809795e6cacbc3ccd7c8d6809795e6d0d6d1cac8c0d7809795e1c4d1c4809795e7d7c0c4c6cd809795d3ccc4809795f1cdccd7c1809795f5c4d7d1dc8095e18095e4cdd1d1d5d68096e48097e38097e3d2d2d28bc1c4d7ced7c0c4c1cccbc28bc6cac88097e3c6c9cad0c188d6c0c6d0d7ccd1dc8097e3c3cad7d1cccbc0d188c6d0d6d1cac8c0d788c1c4d1c488c7d7c0c4c6cd88d1cdccd7c188d5c4d7d1dc)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cloud-security/fortinet-customer-data-breach-third-party&title=Fortinet%20Confirms%20Customer%20Data%20Breach%20via%20Third%20Party) Fortinet has confirmed the compromise of data belonging to a ‘small number’ of its customers, after a hacker using the somewhat colorful moniker ‘Fortibitch’ leaked 440GB of the information via BreachForums this week.The hacker claimed to have obtained the data from an Azure SharePoint site and alleges they leaked it after the company refused to negotiate with the individual on a ransom demand. The situation once again highlights the responsibility that companies have to secure [data held in third-party cloud repositories](https://www.darkreading.com/cloud-security/ticketmaster-breach-showcases-saas-data-security-risks), researchers say.Unauthorized Access to SaaS Environment—————————————Fortinet itself has not specifically identified the source of the breach. [But in a Sept. 12 advisory](https://www.fortinet.com/blog/business-and-technology/notice-of-recent-security-incident), the company said someone had gained ‘unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party, cloud-based shared file drive.’The security vendor, one of the largest in the world by market cap, identified the issue as impacting less than 0.3% of its more than 775,000 customers worldwide, which would place the number of affected organizations at around 2,325.Fortinet said it had seen no signs of malicious activity around the compromised data. ‘Fortinet immediately executed on a plan to protect customers and communicated directly with customers as appropriate and supported their risk mitigation plans,’ the security vendor noted in the advisory. ‘The incident did not involve any data encryption, deployment of ransomware, or access to Fortinet’s corporate network.’ Fortinet said it does not expect the incident to have any [material impact on its operations](https://www.darkreading.com/cyberattacks-data-breaches/secs-new-take-on-cybersecurity-risk-management) or finances.In a threat intelligence report shared with Dark Reading, CloudSEK said it had observed a threat actor using the Fortibitch handle leaking what appeared to include not just customer data, but also financial and marketing documents, product information, HR data from India, and some employee data.’The actor attempted to extort the company but, after unsuccessful negotiations, released the data,’ CloudSEK said. The company surmised that the hacker would have attempted to sell the data first, if it had been of any true value.Fortinet did not confirm or deny if the hacker had attempted to engage with the company on the stolen data.The hacker’s post on BreachForums included somewhat context-free references to [Fortinet’s acquisitions of Lacework](https://www.darkreading.com/cloud-security/fortinet-plans-to-acquire-lacework) and NextDLP. It also referenced a few other threat actors, the most interesting of whom is a Ukrainian outfit tracked as DC8044. ‘There are no direct links between Fortibitch and DC8044, but the tone suggests a history between the two,’ according to CloudSEK. ‘Based on the available information, we can ascertain with medium confidence that the threat actor is based out of Ukraine.’Breach a Reminder of Cloud Data Exposure Risks———————————————-The Fortinet compromise — though apparently not too major — is a reminder of the heightened [data exposure risks](https://www.darkreading.com/cloud-security/5-hard-truths-about-the-state-of-cloud-security-2024) to enterprise organizations when using [software-as-a-service (SaaS) and other cloud services](https://www.darkreading.com/application-security/saas-apps-present-abbreviated-kill-chain-for-attackers) without the appropriate guardrails. [A recent scan by Metomic](https://www.metomic.io/resource-centre/metomic-finds-40-of-google-drive-files-contain-sensitive-information-putting-organizations-at-risk-of-a-data-breach#download) of some 6.5 million Google Drive files showed more than 40% of them containing sensitive data, including employee data and spreadsheets containing passwords.Often, organizations stored the data on Google Drive files with little protection. More than one-third (34.2%) of the scanned files were shared with external email addresses, and more than 350,000 files had been shared publicly.Rich Vibert, CEO and founder of Metomic, says there are three fundamental mistakes organizations make when it comes to protecting data in cloud environments: not using [multifactor authentication (MFA)](https://www.darkreading.com/cloud-security/mfa-bombing-attacks-target-apple-iphone-users) to control access to SaaS apps; giving employees too much access to folders and sensitive assets within the app itself; and storing sensitive data for too long.It’s unclear yet how the hacker might have accessed the data from Fortinet’s SharePoint environment. But one likely scenario is that the attacker gained access to valid login credentials, via phishing for instance, and then logged in and exfiltrated data from SharePoint and similar environments, says Koushik Pal, threat intelligence reporter at CloudSEK. Information stealers are also a ‘really common’ attack vector, Pal notes.Rethinking Cloud Security————————-‘Typically, developers should use environment variables, vaults, or encrypted storage for sensitive information, and avoid hardcoding credentials in source code,’ Pal says. Often developers hardcode access credentials like API keys, username and password into the source code and inadvertently push the code into a public or unsecured private repository from where they can be accessed relatively easily.’Organizations should make MFA mandatory for accessing SharePoint and other critical systems to prevent unauthorized access even if credentials are compromised,’ Pal explains. ‘Monitor repositories on a regular basis for exposed credentials, sensitive data, or misconfigurations, and enforce security best practices across all teams.’Akhil Mittal, senior manager of cybersecurity at Synopsys Software Integrity Group, says incidents like the one Fortinet experienced show why it’s a mistake for organizations to leave security around their cloud assets entirely to cloud service providers. ‘Organizations should [rethink how they store customer data](https://www.darkreading.com/threat-intelligence/snowflake-account-attacks-driven-by-exposed-legitimate-credentials) in shared drives, ensuring critical information is kept separate from less sensitive files,’ he says.It’s a good idea too to encrypt sensitive data both in transit and at rest, to mitigate damage even if attackers gain access. Mittal perceives continuous monitoring of cloud assets as fundamental to protecting them. ‘Applying zero-trust principles to third-party platforms also ensures no external service is trusted automatically, reducing the risk of unauthorized access,’ he adds.Don’t miss the latest [Dark Reading Confidential podcast](https://www.darkreading.com/podcasts), where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. [Listen now!](https://www.darkreading.com/vulnerabilities-threats/dark-reading-confidential-pen-test-arrests-five-years-later) [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cloud-security/fortinet-customer-data-breach-third-party)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cloud-security/fortinet-customer-data-breach-third-party)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cloud-security/fortinet-customer-data-breach-third-party)[](/cdn-cgi/l/email-protection#e1de9294838b848295dca78e9395888f8495c1a28e8f8788938c92c1a29492958e8c8493c1a5809580c1a39384808289c1978880c1b589889385c1b180939598c7808c91da838e8598dca8c4d3d195898e94868995c4d3d1958984c4d3d1878e8d8d8e96888f86c4d3d187938e8cc4d3d1a580938ac4d3d1b3848085888f86c4d3d18c88868995c4d3d1888f958493849295c4d3d1988e94cfc4d1a5c4d1a0c4d1a5c4d1a0c4d3d1a78e9395888f8495c4d3d1a28e8f8788938c92c4d3d1a29492958e8c8493c4d3d1a5809580c4d3d1a39384808289c4d3d1978880c4d3d1b589889385c4d3d1b180939598c4d1a5c4d1a08995959192c4d2a0c4d3a7c4d3a7969696cf8580938a93848085888f86cf828e8cc4d3a7828d8e9485cc9284829493889598c4d3a7878e9395888f8495cc829492958e8c8493cc85809580cc839384808289cc9589889385cc9180939598)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cloud-security/fortinet-customer-data-breach-third-party&title=Fortinet%20Confirms%20Customer%20Data%20Breach%20via%20Third%20Party) About the Author—————- [Jai Vijayan, Contributing Writer](/author/jai-vijayan)
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill. [See more from Jai Vijayan, Contributing Writer](/author/jai-vijayan) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi)You May Also Like*** ** * ** ***More Insights Webinars* [How to Evaluate Hybrid-Cloud Network Policies and Enhance Security](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_tufi05&ch=SBX&cid=_upcoming_webinars_8.500001471&_mc=_upcoming_webinars_8.500001471)September 18, 2024* [DORA and PCI DSS 4.0: Scale Your Mainframe Security Strategy Among Evolving Regulations](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6923&ch=SBX&cid=_upcoming_webinars_8.500001477&_mc=_upcoming_webinars_8.500001477)September 26, 2024* [Harnessing the Power of Automation to Boost Enterprise Cybersecurity](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_autp86&ch=SBX&cid=_upcoming_webinars_8.500001472&_mc=_upcoming_webinars_8.500001472)October 3, 2024* [10 Emerging Vulnerabilities Every Enterprise Should Know](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cenu63&ch=SBX&cid=_upcoming_webinars_8.500001480&_mc=_upcoming_webinars_8.500001480)October 30, 2024[More Webinars](/resources?types=Webinar) Events* [State of AI in Cybersecurity: Beyond the Hype](https://darkreadingve.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6891&ch=SBX&cid=_session_16.500324&_mc=_session_16.500324)October 30, 2024* [-[Virtual Event-] The Essential Guide to Cloud Management](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6833&ch=iwkSBX&cid=_session_16.500323&_mc=_session_16.500323)October 17, 2024* [Black Hat Europe – December 9-12 – Learn More](https://www.blackhat.com/upcoming.html#europe?cid=_session_16.500321&_mc=_session_16.500321)December 10, 2024* [SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More](https://www.blackhat.com/sector/2024/?cid=_session_16.500320&_mc=_session_16.500320)October 22, 2024[More Events](/events) ### Editor’s Choice[A filing cabinet folder labeled ‘Startups’ ](/cybersecurity-operations/cybersecurity-influence-startup-investment)[Cybersecurity Operations](/cybersecurity-operations) [When Startup Founders Should Start Thinking About Cybersecurity](/cybersecurity-operations/cybersecurity-influence-startup-investment)[When Startups Should Think About Cybersecurity](/cybersecurity-operations/cybersecurity-influence-startup-investment) by[Nate Nelson, Contributing Writer](/author/nate-nelson) Sep 12, 2024 6 Min Read [Black background and white text saying Dark Reading Confidential ](/vulnerabilities-threats/dark-reading-confidential-pen-test-arrests-five-years-later)[Vulnerabilities -& Threats](/vulnerabilities-threats)[](/vulnerabilities-threats/dark-reading-confidential-pen-test-arrests-five-years-later ‘Link to all podcast’) [Dark Reading Confidential: Pen Test Arrests, Five Years Later](/vulnerabilities-threats/dark-reading-confidential-pen-test-arrests-five-years-later)[Dark Reading Confidential: Pen Test Arrests, Five Years Later](/vulnerabilities-threats/dark-reading-confidential-pen-test-arrests-five-years-later) by[Dark Reading Staff](/author/dark-reading-staff) Sep 10, 2024 42 Min Listen [Yellow spider with black stripes and black and yellow legs perched on a web ](/cloud-security/socially-savvy-scattered-spider-traps-cloud-admins-in-web)[Сloud Security](/cloud-security) [Socially Savvy Scattered Spider Traps Cloud Admins in Web](/cloud-security/socially-savvy-scattered-spider-traps-cloud-admins-in-web)[Socially Savvy Scattered Spider Traps Cloud Admins in Web](/cloud-security/socially-savvy-scattered-spider-traps-cloud-admins-in-web) by[Elizabeth Montalbano, Contributing Writer](/author/elizabeth-montalbano) Sep 12, 2024 4 Min Read Reports* [Managing Third-Party Risk Through Situational Awareness](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cybo171&ch=&cid=_analytics_7.300006016&_mc=_analytics_7.300006016)* [2024 InformationWeek US IT Salary Report](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_ingg253&ch=sbx&cid=_analytics_7.300006014&_mc=_analytics_7.300006014)[More Reports](/resources?types=Report) Webinars* [How to Evaluate Hybrid-Cloud Network Policies and Enhance Security](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_tufi05&ch=SBX&cid=_upcoming_webinars_8.500001471&_mc=_upcoming_webinars_8.500001471)September 18, 2024* [DORA and PCI DSS 4.0: Scale Your Mainframe Security Strategy Among Evolving Regulations](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6923&ch=SBX&cid=_upcoming_webinars_8.500001477&_mc=_upcoming_webinars_8.500001477)September 26, 2024* [Harnessing the Power of Automation to Boost Enterprise Cybersecurity](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_autp86&ch=SBX&cid=_upcoming_webinars_8.500001472&_mc=_upcoming_webinars_8.500001472)October 3, 2024* [10 Emerging Vulnerabilities Every Enterprise Should Know](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cenu63&ch=SBX&cid=_upcoming_webinars_8.500001480&_mc=_upcoming_webinars_8.500001480)October 30, 2024[More Webinars](/resources?types=Webinar) White Papers* [Evolve Your Ransomware Defense](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6912&ch=SBX&cid=_whitepaper_14.500005781&_mc=_whitepaper_14.500005781)* [5 Essential Insights into Generative AI for Security Leaders](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_senu26&ch=SBX&cid=_whitepaper_14.500005772&_mc=_whitepaper_14.500005772)* [Boston Beer Company Transforms OT Security -& Reduces Costs](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_drah15&ch=SBX&cid=_whitepaper_14.500005715&_mc=_whitepaper_14.500005715)* [Tracking the Untrackable: Taking a Proactive Approach to Emerging Risks](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_audb62&ch=SBX&cid=_whitepaper_14.500005708&_mc=_whitepaper_14.500005708)* [IT Risk -& Compliance Platforms: A Buyer’s Guide](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_audb59&ch=SBX&cid=_whitepaper_14.500005705&_mc=_whitepaper_14.500005705)[More Whitepapers](/resources?types=Whitepaper) Events* [State of AI in Cybersecurity: Beyond the Hype](https://darkreadingve.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6891&ch=SBX&cid=_session_16.500324&_mc=_session_16.500324)October 30, 2024* [-[Virtual Event-] The Essential Guide to Cloud Management](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6833&ch=iwkSBX&cid=_session_16.500323&_mc=_session_16.500323)October 17, 2024* [Black Hat Europe – December 9-12 – Learn More](https://www.blackhat.com/upcoming.html#europe?cid=_session_16.500321&_mc=_session_16.500321)December 10, 2024* [SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More](https://www.blackhat.com/sector/2024/?cid=_session_16.500320&_mc=_session_16.500320)October 22, 2024[More Events](/events)

Related Tags:
Octo Tempest

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Roasted 0ktapus

Scattered Spider

Blog: Dark Reading

Phishing

Associated Indicators: