Recent Breaches
Breaches
2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen
View All →
Breaking NewsUpdated as information becomes available
Back to Knowledge Vault
NewsBreaking7 July 20264 min read

Russian hackers steal UK government logins: why offline vaults change the equation

The Telegraph reports that Russian-linked hackers have harvested UK government login credentials and traded them on dark-web forums. The incident is a reminder that credentials, however well protected in the cloud, remain the single point of failure that offline data vaults are designed to remove.

Mark Fermor

Mark Fermor

Director & Co-Founder, Firevault

Share
Illustration of stolen login credentials being traded, representing the July 2026 report of Russian hackers selling UK government logins on dark-web forums

The Telegraph reported on 5 July 2026 that Russian-linked threat actors had stolen and were selling login credentials belonging to UK government users on dark-web marketplaces. The story, corroborated by follow-up coverage from specialist security press and an advisory from the National Cyber Security Centre, once again puts the spotlight on a category of attack that no amount of cloud hardening fully resolves: credential theft.

What was reported

According to reporting from The Telegraph and later coverage from the security press, the campaign is understood to have targeted Fortinet firewalls and VPN gateways used by government and public-sector organisations. The stolen material reportedly included usernames, email addresses and passwords, some of which were being offered for sale on Russian-speaking criminal forums.

The National Cyber Security Centre issued guidance urging organisations that operate the affected devices to reset passwords, review remote-access logs and enforce multi-factor authentication across every administrative account. Attribution to a specific state-aligned group has not been formally confirmed at the time of writing, and Firevault will update this article as verified detail emerges.

Why credentials keep being the weak link

Every recent major breach shares a common ingredient. Not zero-day exploits, not novel malware, but a valid login. Once an attacker holds a working credential, whether stolen from an endpoint, harvested from a compromised VPN or phished from a user, the defensive perimeter collapses. Cloud identity providers, single sign-on, session tokens and even most multi-factor implementations are all reachable from the public internet, which means they can all be attacked from the public internet.

The uncomfortable truth for chief information security officers is that hardening the login page does not remove the login page. It remains a door, and doors get picked.

"You cannot steal a credential for a system that is not online. That single sentence is the reason offline vaults exist. When the crown jewels sit behind an air gap you break, not one an attacker can reach, credential theft stops being a catastrophe and starts being an inconvenience."

Mark Fermor, Firevault

Where offline storage changes the equation

An offline data vault is not a replacement for good identity hygiene. It is a category shift. Instead of trying to make an internet-reachable service impossible to compromise, it removes the service from the internet entirely for the data that matters most. The result is that a stolen government password, however painful, cannot be used to reach data held inside a Firevault unit, because there is no route from the credential to the data.

For the class of asset that must survive a nation-state incident, such as source-of-truth records, encryption key material, board and legal archives, cyber-response runbooks and system-recovery images, that categorical difference matters far more than an incremental improvement in cloud posture.

What this means for UK organisations

Three practical takeaways for UK organisations reviewing their posture in light of the reporting:

  1. Assume valid credentials are already in adversary hands. Rotate, enforce phishing-resistant multi-factor authentication and treat every legacy VPN endpoint as suspect until proven otherwise.
  2. Segregate the assets whose loss you cannot tolerate. If a class of data would trigger a Cabinet Office incident review, it should not be reachable from a cloud identity that a foreign actor can log into.
  3. Test the offline recovery path. An offline vault only helps if the recovery procedure is rehearsed. Firevault customers run quarterly reconstitution drills, and every UK organisation holding critical data should do the equivalent, whether or not they use our hardware.

Firevault will continue to track the reporting on this incident and publish updates as verified detail becomes available.

Sources

  • The Telegraph, "Russian hackers steal government logins", 5 July 2026: telegraph.co.uk
  • National Cyber Security Centre advisory on Fortinet firewall and VPN targeting: ncsc.gov.uk
  • Bleeping Computer coverage of the Fortinet credential leak: bleepingcomputer.com

About the author

Mark Fermor

Mark Fermor

Director & Co-Founder

Co-founder of Firevault, focused on offline secure storage and protecting individuals and businesses from fraud, fines, loss and damage. Speaker, owner and advisor.

Share this article

Breaking News
News7 July 20264 min read

Russian hackers steal UK government logins: why offline vaults change the equation

The Telegraph reports that Russian-linked hackers have harvested UK government login credentials and traded them on dark-web forums. The incident is a reminder that credentials, however well protected in the cloud, remain the single point of failure that offline data vaults are designed to remove.

Russian hackers steal UK government logins: why offline vaults change the equation
Mark Fermor
Published by Mark Fermor, Director & Co-Founder