The Password Nobody Changed

Not a zero-day. Not nation-state tooling. Not some elaborate supply-chain compromise that took months of reconnaissance and a team of PhDs. DarkSide — the ransomware group that shut down Colonial Pipeline on May 7, 2021 — got in through a VPN account. One account. One password. No multi-factor authentication.

The password had been leaked in a previous breach. It was sitting in a dark web credential dump, waiting. Whoever owned that account hadn't changed it. Nobody had audited it. Nobody had noticed. The account remained active.

Forty-five percent of the East Coast's fuel supply ran through that pipeline. Gas stations ran dry from Florida to New Jersey. Panic buyers filled plastic bags with gasoline. Airports rerouted flights. Colonial paid $4.4 million in Bitcoin to get their systems back — an amount that briefly felt enormous before we all learned what ransomware payouts actually look like at scale.

The FBI recovered about $2.3 million of it. The math on the rest doesn't improve.

Here's what the post-mortems documented and the headlines buried: this wasn't a sophisticated attack. DarkSide was competent — they had tooling, they had ransom-payment infrastructure, they knew how to negotiate — but the entry vector was elementary. Password reuse. No MFA. An active account that should have been rotated or deactivated.

The gap between "we have security measures in place" and "we have a password nobody changed" is where most critical infrastructure actually lives.

Security professionals have been making the case for MFA and credential hygiene since at least 2011, when the RSA SecurID breach demonstrated what happens when authentication tokens get compromised. By 2021, the argument had been won so thoroughly that making it wasn't even interesting anymore. Every compliance framework required MFA. Every security vendor sold it. Every CISO nodded along in conference rooms about defense in depth.

The VPN account didn't have it.

Colonial Pipeline wasn't uniquely negligent — they were ordinarily negligent. Which is the more depressing problem. The gap between security policy and security practice is standard operating procedure in American infrastructure. You'll find the same gap in water treatment facilities, power grids, and the legacy systems held together by institutional memory and the organizational reluctance to budget a proper migration.

The sophistication of an attack doesn't have to match the scale of the damage. DarkSide didn't need advanced persistent threat capabilities to hold a significant fraction of the East Coast's fuel supply hostage. They needed one password that nobody changed.

Colonial paid. They always pay. The incentive structure is precisely calibrated to ensure payment — downtime costs more than the ransom, insurance covers part of it, and the alternative is explaining to regulators why the pipeline stayed offline longer than necessary.

The Biden administration subsequently issued an executive order on cybersecurity. CISA published advisories. Congressional hearings were held with the appropriate amount of grave concern.

I'll let you assess the current security posture of critical infrastructure on your own. Try not to be too surprised.

i · sources

• Colonial Pipeline ransomware attack — Wikipedia, 2021-05-07
• Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom — Bloomberg, 2021-05-13
• Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists DarkSide — DOJ, 2021-06-07