Tens of thousands of firewalls and VPN devices from Fortinet, used by some of the world's biggest firms, have been breached in a large hacking campaign called FortiBleed. And the most uncomfortable part of the story isn't how many were breached, but how - not through some secret, unknown hole, but through old, already-leaked passwords and poor protection of access credentials.

The scheme is quiet and efficient. The hackers use automated tools to scan exposed Fortinet devices, get in with lists of leaked passwords, and then monitor the traffic to gather more access credentials - which they feed back into the same tools to breach new devices. "Once a device is compromised, they use it as a listening post," explain the security firm SOCRadar. According to Hudson Rock, over 73,000 unique Fortinet addresses were breached; SOCRadar cites over 30,000 compromised devices.

The list of affected companies is heavy: Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens and PwC. The most affected are India, the US, Taiwan and Mexico, and government institutions are under fire too. Security researchers believe a Russian-speaking group is behind the campaign.

Fortinet, through spokeswoman Tiffany Curci, admits it is "aware of a reported campaign to gather access credentials" and that it involves "resharing of data from previous incidents" and "brute-forcing passwords." Translated from corporate into human: it's not our hole, your weak passwords are. And here's the point that applies to us in the Balkans too, where institutions and firms still keep critical systems behind passwords like 123456 - the most expensive attack isn't the one that requires genius, but the one that just waits for someone not to change their password for years. How many of our institutions would survive even ten minutes of the same scanning?