Introduction
On May 7, 2021, the Colonial Pipeline Company — operator of the largest refined products pipeline in the United States — shut down its entire 5,500-mile pipeline system. The reason: a ransomware attack launched by a cybercriminal group called DarkSide. The pipeline carries 45% of the fuel consumed on the US East Coast, supplying gasoline, diesel, jet fuel, and heating oil to 50 million Americans.
The attack vector? A single compromised password on a legacy VPN account that didn't even have multi-factor authentication. One credential was all it took to cripple critical American infrastructure and trigger a fuel crisis that lasted nearly a week.
What Happened
DarkSide, a ransomware-as-a-service (RaaS) operation believed to be based in Eastern Europe, gained access to Colonial Pipeline's network through a compromised VPN password. The password was later found in a batch of leaked credentials on the dark web, suggesting it had been reused from another breached service. The VPN account was no longer in active use but had never been deactivated — and crucially, it lacked multi-factor authentication.
Once inside, the attackers deployed their ransomware, encrypting Colonial's IT systems and exfiltrating nearly 100 gigabytes of data. While the ransomware itself targeted IT infrastructure — not the operational technology (OT) systems that control the pipeline — Colonial made the decision to shut down the pipeline as a precautionary measure. They couldn't verify whether the attackers had moved into the OT environment, and they couldn't risk a catastrophic physical incident.
Within 24 hours, Colonial Pipeline paid 75 Bitcoin — approximately $4.4 million at the time — to DarkSide in exchange for a decryption key. The key turned out to be so slow that Colonial largely restored from their own backups anyway. The pipeline remained shut down for six days, from May 7 to May 12.
The Impact
The shutdown triggered immediate panic. Gas stations across the Southeast ran dry. Lines stretched for blocks. Fights broke out at pumps. People filled plastic bags with gasoline. Airlines rerouted flights to avoid airports running low on jet fuel. The national average gas price hit its highest point since 2014.
The Federal Motor Carrier Safety Administration issued an emergency declaration for 17 states and Washington, D.C., lifting restrictions on fuel truck drivers' hours to speed up alternative supply chains. President Biden declared a state of emergency.
The FBI, CISA, and the Department of Energy all launched investigations. In June 2021, the DOJ announced it had recovered 63.7 of the 75 Bitcoin paid as ransom — approximately $2.3 million — from a cryptocurrency wallet used by DarkSide. The group publicly announced it was ceasing operations shortly after the attack, though many analysts believe they simply rebranded.
How to Protect Yourself
The Colonial Pipeline attack is the clearest possible argument for multi-factor authentication. A single password — reused, leaked, and sitting on a forgotten account — brought down critical infrastructure serving 50 million people.
For organizations: enforce MFA on every account, especially VPN and remote access. Deactivate unused accounts immediately. Never reuse passwords across services. Segment IT and OT networks. Maintain offline backups and test your restoration process regularly. Have an incident response plan before you need one.
For individuals: use a password manager, never reuse passwords, and enable MFA everywhere. The same credential hygiene that could have prevented a national fuel crisis applies to your own accounts.
The Bigger Picture
Colonial Pipeline was a wake-up call for critical infrastructure security in the United States. It demonstrated that cyber attacks can have immediate, tangible physical consequences — empty gas stations, grounded flights, economic disruption. It also showed that the barrier between a criminal operation and a national security crisis can be as thin as a single password.
The attack accelerated executive orders on cybersecurity, new pipeline security directives from the TSA, and a broader national conversation about how vulnerable critical infrastructure remains to cyber threats. But the fundamental lesson is simpler than any policy: a forgotten VPN account with no MFA and a reused password is all it takes to shut down 45% of a nation's fuel supply.
