On May 7, 2021, Colonial Pipeline Company discovered that DarkSide ransomware had infiltrated its IT network. Within hours, the company made the unprecedented decision to shut down its entire 5,500-mile pipeline system — the largest refined products pipeline in the United States, responsible for carrying 45% of the East Coast's fuel supply. Gas stations ran dry. Panic buying erupted. The President declared a state of emergency.
All because of a single compromised password.
What Happened
The attack vector was remarkably simple. Investigators from Mandiant later traced the initial access to a legacy VPN account that did not use multi-factor authentication. The password for this account had been found in a batch of leaked credentials on the dark web, likely from a previous, unrelated breach. The employee may have reused that password elsewhere.
DarkSide, the ransomware-as-a-service (RaaS) group behind the attack, gained access to Colonial Pipeline's IT network on April 29, 2021 — a full week before the company detected the intrusion. During that window, the attackers exfiltrated roughly 100 gigabytes of data before deploying the ransomware payload.
Colonial Pipeline's operational technology (OT) systems — the ones actually controlling pipeline flow — were not directly compromised. However, the company shut down operations as a precaution because they could not verify the integrity of those systems, and the billing infrastructure on the IT side was encrypted. Without the ability to meter and bill for fuel, running the pipeline was not operationally viable.
The Ransom Payment
CEO Joseph Blount authorized a payment of 75 Bitcoin (approximately $4.4 million at the time) to DarkSide on May 8, the day after discovery. This was a controversial decision. Blount later testified before Congress that he authorized the payment because the company had no way of knowing the extent of the breach and could not risk a prolonged shutdown.
The decryption tool provided by DarkSide was so slow that Colonial's team largely restored systems from their own backups anyway. The FBI later recovered approximately $2.3 million of the ransom by seizing the Bitcoin wallet used by DarkSide, a rare win in ransomware recovery.
The Fallout
The real-world consequences were severe and immediate:
- Fuel shortages spread across the southeastern United States. Average gas prices rose above $3 per gallon nationally for the first time since 2014.
- Panic buying caused long lines at gas stations from Texas to New Jersey. Some states saw 70% of gas stations without fuel.
- Airlines rerouted flights to refuel at different airports. American Airlines temporarily added stops to long-haul flights departing from Charlotte.
- A national emergency declaration from the White House invoked emergency fuel transport provisions.
- DarkSide disbanded (at least publicly) within two weeks, claiming their infrastructure had been seized, though many security researchers believe the group simply rebranded.
The Bigger Problem
Colonial Pipeline was not a small, under-resourced target. It was a major infrastructure company. Yet the attack succeeded because of failures that are depressingly common across organizations of all sizes:
No MFA on VPN access. This is table stakes for security in 2021. A legacy account with password-only authentication on a VPN endpoint is an open invitation. The fact that this account was still active despite not being in current use made it worse.
Credential reuse. The compromised password existed in a known data dump. Credential monitoring services could have flagged this. Password policies requiring unique credentials, combined with a password manager rollout, would have mitigated this risk.
Insufficient network segmentation. The fact that an IT network compromise forced a full OT shutdown reveals inadequate separation between business systems and operational systems. Even if the direct control systems were air-gapped, the dependency on IT billing systems created a single point of failure.
Limited detection capability. The attackers were inside the network for approximately a week before detection. During that time, they exfiltrated 100GB of data. Either monitoring was insufficient, or alerts were not acted upon quickly enough.
Lessons for Every Organization
The Colonial Pipeline attack became a watershed moment for critical infrastructure security in the United States. It directly led to several policy changes:
- Executive Order 14028 (May 12, 2021) mandated improved cybersecurity standards for federal contractors and software supply chains.
- The TSA issued security directives requiring pipeline operators to report cyber incidents and implement specific security measures.
- CISA expanded its advisory role for critical infrastructure operators.
But the technical lessons apply to every organization, not just critical infrastructure:
- Enforce MFA everywhere, especially on remote access. No exceptions for legacy accounts.
- Monitor for credential exposure using dark web monitoring and breach databases.
- Segment networks aggressively. Business IT and operational technology must be isolated so that a compromise in one cannot cascade to the other.
- Maintain tested backups. Colonial ultimately relied on their backups more than the decryption tool they paid $4.4 million for.
- Audit dormant accounts. If an account is not in active use, disable it. Period.
How Safeguard.sh Helps
Safeguard.sh provides continuous visibility into your organization's security posture, including the kind of gaps that enabled the Colonial Pipeline breach. Our platform monitors for exposed credentials, flags systems lacking MFA enforcement, and maps dependency relationships between IT and OT assets so you can understand cascade risks before an attacker exploits them. With automated SBOM tracking and policy gates, Safeguard.sh ensures that your security baseline is not just documented but actively enforced — catching the dormant accounts, the missing MFA configurations, and the network segmentation gaps that make attacks like Colonial Pipeline possible.