Article mentions the passwords were hashed with sha256 plus a salt. For a long password more than say 12 characters this would take a very long time to brute force. My guess is a lot of these were dictionary attacks ?

>The data comprises of roughly 50% of all Fortinet firewall devices facing the internet, based on polling from Shodan.

Jesus wept. When will companies stop using garbage products like this?