Colonial Pipeline — leaked VPN password halts East Coast fuel supply
A single compromised VPN password — reused from a separate breach and not protected by MFA — gave the DarkSide ransomware group access to Colonial Pipeline's network. The pipeline shut down, causing fuel shortages across the US East Coast.
What happened
Colonial Pipeline operated a VPN account for internal use that was not protected by multi-factor authentication. The password showed up in a separate dark-web dump. DarkSide used it to access the network, deploy ransomware, and halt pipeline operations for six days.
Timeline
Password leaked in unrelated breach.
DarkSide accesses network via VPN.
Ransomware deployed; pipeline halted.
Colonial pays $4.4M ransom in Bitcoin.
Partial restoration begins.
Root cause
A legacy VPN account without MFA, using a password that had leaked elsewhere. The account was not in active use but remained enabled.
Impact
- 6 days of fuel-supply disruption across the US East Coast
- $4.4M ransom paid (partially recovered by FBI)
- National-security-level policy response; US Executive Order 14028 on cybersecurity
Not directly — Securie focuses on application security, not enterprise VPN. The principle generalizes: every credential in every system should require MFA, and every unused account should be disabled.
Lessons
- MFA on every credential, everywhere, always
- Disable unused accounts actively, not passively
- Password reuse is the #1 cause of corporate compromise
- Have-I-Been-Pwned monitoring for your corporate domain