On May 7, 2021, Americans woke up to news that would seem like science fiction just a decade earlier: a cyberattack had shut down the largest fuel pipeline in the United States.
Colonial Pipeline carries 45% of the fuel supply for the East Coast—about 2.5 million barrels per day of gasoline, diesel, and jet fuel. When the ransomware hit, the company made a decision that would ripple through the economy: they shut down 5,500 miles of pipeline.
Gas stations ran dry. Prices spiked to seven-year highs. People lined up with gas cans, plastic bags—anything that would hold fuel. Multiple states declared emergencies. Airlines scrambled to reroute flights to airports that still had fuel.
And it all started with a single password.
The Entry Point
The attackers—a ransomware gang called DarkSide—got into Colonial's network through a VPN account. This wasn't a sophisticated zero-day exploit or an insider threat. It was a password that had been leaked in a previous data breach and was sitting on the dark web, available to anyone willing to pay for it.
The compromised account had one critical vulnerability: no multi-factor authentication.
With just the username and password, the attackers logged in as if they were a legitimate employee. There was no second verification step, no code from a phone, no additional security check. Just a stolen password and an open door.
The account wasn't even actively used anymore. It was an old VPN profile that should have been disabled but hadn't been. These forgotten credentials—what security professionals call "ghost accounts"—are a common problem. Employees leave, roles change, systems get upgraded, but old access credentials linger in the system like unlocked doors no one remembers to close.
What Happened Next
Once inside, DarkSide deployed their ransomware against Colonial's business systems. They encrypted critical files and exfiltrated about 100 gigabytes of data, threatening to release it publicly if Colonial didn't pay.
Colonial's operational technology—the systems that actually control the pipeline—wasn't directly hit. But the company couldn't see into their business systems. They couldn't bill customers. They couldn't track fuel deliveries. Without visibility into operations, they made the call to shut everything down.
The pipeline stayed offline for six days.
Colonial paid the ransom: 75 Bitcoin, worth about $4.4 million at the time. The FBI later recovered about $2.3 million of that payment by tracking the cryptocurrency transactions—a rare win in the fight against ransomware.
The Real-World Fallout
The Colonial Pipeline attack demonstrated something that cybersecurity professionals had warned about for years: digital attacks can cause physical-world chaos.
- Fuel shortages: Gas stations across the Southeast ran out of fuel. At the peak, 71% of stations in North Carolina had no gas. Virginia, Georgia, and South Carolina saw similar shortages.
- Price spikes: The national average gas price rose above $3 per gallon for the first time since 2014.
- Panic buying: People filled not just their cars but extra containers. Some made dangerous choices—videos circulated of people filling plastic bags with gasoline.
- Emergency declarations: Multiple states declared states of emergency. The Department of Transportation issued emergency orders to allow fuel transport by truck.
- Aviation disruption: American Airlines added fuel stops to some long-haul flights. Other carriers scrambled to ensure adequate fuel at affected airports.
All of this from one compromised password.
The Multi-Factor Authentication Question
The single biggest factor in this breach was the absence of multi-factor authentication (MFA) on the VPN account. If MFA had been enabled, the stolen password alone wouldn't have been enough.
MFA requires two or more forms of verification to log in:
- Something you know: your password
- Something you have: a code from your phone, a hardware key
- Something you are: a fingerprint, facial recognition
With MFA enabled, an attacker who has your password still can't get in without that second factor. The Colonial attackers had the password but wouldn't have had access to an employee's phone or hardware token.
Microsoft estimates that MFA blocks 99.9% of automated account compromise attacks. It's not a silver bullet—sophisticated attackers can sometimes get around it—but it eliminates the vast majority of credential-based attacks.
For a system as critical as a fuel pipeline, not having MFA on VPN access was an inexcusable oversight.
Lessons for Every Business
You probably don't run a fuel pipeline. But the lessons from Colonial apply to any business with an internet connection.
Enable MFA on Everything
If a system allows multi-factor authentication, enable it. Prioritize:
- Email accounts (often the key to resetting other passwords)
- VPN and remote access
- Admin panels and backend systems
- Cloud services and hosting accounts
- Domain registrar access
- Financial systems
Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) rather than SMS when possible. SMS can be intercepted; app-based codes are more secure.
Audit and Disable Old Accounts
The Colonial VPN account wasn't actively used. It was a ghost—old credentials that should have been removed but weren't.
Set a regular schedule to review user accounts:
- Who has access to what systems?
- Are there accounts for people who no longer work with you?
- Are there test accounts or temporary credentials that were never removed?
- When did each account last log in?
Deactivate anything that's not actively needed. You can always reactivate an account; you can't un-breach your network.
Monitor for Credential Leaks
The password that compromised Colonial was available on the dark web. Credential monitoring services can alert you when passwords associated with your domain appear in data dumps.
Even a free service like "Have I Been Pwned" lets you check if email addresses have appeared in known breaches. For business accounts, consider services that provide ongoing monitoring.
Segment Your Networks
Colonial's business systems and operational systems were connected enough that encrypting one threatened the other. Network segmentation—separating critical systems so a breach in one area doesn't automatically compromise others—could have limited the damage.
Have a Ransomware Response Plan
Colonial paid the ransom but still needed days to recover. Having encrypted backups, tested restoration procedures, and clear incident response plans can mean the difference between a manageable disruption and a catastrophic shutdown.
The Bigger Picture
The Colonial Pipeline attack was a turning point in how governments and businesses think about cybersecurity. It demonstrated that digital vulnerabilities can have cascading physical consequences—that a password found on the dark web can empty gas stations across multiple states.
In the aftermath, the Biden administration issued an executive order on improving the nation's cybersecurity. The Transportation Security Administration issued new security directives for pipeline operators. Critical infrastructure security moved from a niche concern to a national priority.
But the fundamental lesson is simpler: basic security hygiene matters. Multi-factor authentication, account auditing, password management—these aren't exotic security measures. They're table stakes. And for Colonial Pipeline, missing one of them brought America's fuel supply to a halt.
The Bottom Line
The Colonial Pipeline attack is a stark reminder that cybersecurity failures have real-world consequences. Not theoretical risks, not compliance checkboxes—actual gas stations running dry, actual states declaring emergencies, actual businesses and families affected.
For your business, the message is clear: enable multi-factor authentication, clean up old accounts, monitor for leaked credentials, and assume that any internet-connected system is a potential target.
A single password protected Colonial Pipeline. And when that password was compromised, so was America's fuel supply.
