In May 2021, a ransomware group called DarkSide shut down the Colonial Pipeline — 5,500 miles of fuel infrastructure supplying roughly 45% of the East Coast’s gasoline supply. Gas stations ran dry. Prices spiked. People panic-bought fuel in plastic bags, which is both a fire hazard and a sign that things have gotten genuinely bad.
The FBI got involved. The White House held press conferences. Everyone wanted to know how a piece of critical infrastructure this important could be taken offline.
The answer, when it came out, was embarrassing in the way that only the simplest answers can be.
What Actually Happened
Investigators traced the breach to a single VPN account. Not a complicated zero-day exploit. Not a nation-state attack involving months of reconnaissance and custom malware. A username and password — for an account that was no longer actively used — found in a batch of leaked credentials on the dark web.
That account had no multi-factor authentication.
Someone at DarkSide plugged in the credentials, got in, and started moving through the network. Within days they had deployed ransomware across Colonial’s systems and demanded payment. Colonial paid $4.4 million in Bitcoin — quietly, without initially telling the government — because the alternative was keeping the pipeline offline indefinitely.
(The Department of Justice later recovered about $2.3 million of it. Small consolation.)
The CEO, Joseph Blount, later testified before Congress. The questions were pointed. The answers were uncomfortable. One of the senators asked, essentially, why a company managing this much critical infrastructure didn’t have MFA on its VPN accounts.
There wasn’t a great answer to that question.
The Part That Should Concern You
This isn’t a story about a sophisticated attack. It’s a story about a forgotten account with a password that had already been compromised in some other breach, sitting quietly in a list that eventually ended up on the dark web, waiting for someone to try it.
That scenario is not unique to Colonial Pipeline. Leaked credential lists are enormous — billions of username/password combinations from years of breaches, freely available to anyone who knows where to look. Attackers run them against login portals automatically. It costs almost nothing to try.
Every organization has old accounts. Former employees. Contractors who finished their engagement. Test accounts created during a rollout that never got cleaned up. Service accounts tied to a system that’s been decommissioned. Each one is a door. Most of them don’t even have a deadbolt.
What This Means for You
You don’t have to be running a pipeline to be running the same risk. Here’s the short version:
Enable MFA on everything external-facing. VPN, email, cloud applications, admin portals — anything accessible from outside your network. MFA doesn’t stop every attack, but it stops this one. A stolen password by itself becomes useless.
Audit your accounts. Do you know every VPN account, every admin login, every cloud access credential that exists in your environment? If someone left the company six months ago, is their account disabled? Run the list. Disable or delete anything that isn’t actively needed.
Check HaveIBeenPwned. Troy Hunt’s Have I Been Pwned lets you check whether your email address or your domain has shown up in a known data breach. Free, takes thirty seconds. If your credentials are already in a leaked list, you should know about it.
Colonial Pipeline paid $4.4 million and made national news because an unused account didn’t have MFA. That’s the whole story. It’s a painful lesson, but it’s also a fixable one — and the fix costs a lot less than $4.4 million.
