We confuse buying security with being secure. A breach just proved it, 74,000 times.
You almost certainly reuse a password. The same one, give or take a number, across your email, your shopping, maybe your work login. It is the digital version of cutting one key for your house, your car and your office, then leaving a copy under the mat. Convenient, until someone finds the copy.
This month, that habit leaked the logins of nearly 74,000 organisations. The expensive kit they had bought to keep attackers out quietly handed over the keys, and the reason has almost nothing to do with technology.
What actually leaked
A public dataset of validated logins, pulled from internet-facing Fortinet firewalls: usernames, email addresses and passwords, much of it in plain text. It covers 73,932 devices across 194 countries, which researchers put at about half of all Fortinet firewalls exposed to the internet.
The method is the tell. Nobody cracked anything. The attackers tried a list of passwords that had already leaked in earlier breaches, and noted every login that still worked - old keys, old doors, still opening.
The firewall did everything it promised. The gap was human.
We confuse buying with doing
Spending money on a problem gives your brain a small, satisfying hit of "sorted." You bought the treadmill, so you are basically fit. You fitted the smoke alarm, so the house is basically safe. You bought the firewall, so the company is basically covered. The purchase feels like the result. The result has not happened yet.
Psychologists call the optimistic half of this optimism bias: the quiet assumption that the bad thing happens to other people. The other half is simpler. Once the kit is bought, the dull, repeatable work it depends on stops feeling urgent.
And the work is dull. Rotating a password that already works costs you time, friction, and the risk of locking a colleague out on a busy Monday. The payoff is invisible, because nothing bad happens, and the cost lands now. So your brain does what every brain does with a far-off risk and an immediate effort, it defers. Then defers again. None of that is laziness. It is how people are wired, and it is the wiring an attacker counts on. (We're not lazy, we're efficient).
It gets worse the better things are going. Behavioural scientists call it the 'normalisation of deviance': each time you skip the boring task and nothing breaks, the shortcut quietly becomes the new normal. Your brain reads every uneventful day as fresh evidence the risk was never real, because an absence of bad outcomes works like a reward. Good security pays you in silence, and silence is the worst kind of feedback, because it teaches you to do less of the very thing keeping you safe. So the habit that would protect you is the one your own track record keeps arguing against. An attacker does not need a clever exploit for that. They just need you to keep being reasonable.
This is why "hackers don't break in, they log in" keeps coming true. The credential was the unlocked door all along.
Three things your brain says when this happens
Three reassurances show up. Each one feels sensible. Each is the mind playing a small trick.
"We bought the firewall, so we are covered." That swaps a purchase for a result.
"We are too small to be one of 74,000." That mistakes being unknown for being safe. The attack was automated, and it did not check how important you were before it tried the door.
"We changed those passwords ages ago." That treats a thing you did once as a habit you keep.
None of these are technical mistakes. They are comfortable thoughts, and the comfort is the point. The most dangerous moment in security is the one right after you decide you are fine.
The habits that actually protect you
You need the firewall. It only pays off when the people around it hold up their end, and that end is behaviour, repeated on purpose:
- Rotate the passwords on anything touching your VPN or admin logins, and treat "we did that a while back" as the reason to do it again.
- Retire any password that has ever shown up in a breach, and stop reusing the convenient ones.
- Turn on multi-factor authentication, so a stolen password is not a full set of keys.
- Know what is facing the internet, and check it on a schedule, not after the news breaks.
Make the safe thing easier than the lazy thing. A password manager removes the friction that makes reuse so tempting. A recurring reminder turns "when someone remembers" into "the first Monday of the quarter." Behaviour change is rarely about trying harder. It is about lowering the effort on the thing you want people to do.
What to ask before the next headline
Security you have versus security you have paid for comes down to one question. Has the behaviour your technology depends on actually changed, or do you just have a receipt? FortiBleed is 74,000 receipts, and little else.
The next step is not a bigger box. It is one small habit, made easy enough to keep.