Colonial Pipeline
A single VPN password without two-factor authentication shut down half the gasoline supply on the US East Coast.
In May 2021, the largest fuel pipeline in the United States stopped pumping. For a week, gas stations from Georgia to New Jersey papered over their pumps with plastic bags while drivers panic-bought fuel and, in some cases, filled trash cans.
A leaked password
The intrusion did not require an elite operation. Investigators eventually traced it back to a single set of credentials — a username and password for a legacy VPN account, no second factor, leaked into a dump on the dark web in a previous unrelated breach.
The attackers were a Russian-speaking ransomware-as-a-service group called DarkSide. They did not touch the pipeline's operational technology directly. They encrypted the IT side: billing systems, dispatch, the office machinery of running a continent-scale pipeline. Colonial shut down the pipeline itself out of caution.
The receipts come back
Colonial paid roughly 4.4 million dollars in Bitcoin. A few weeks later the FBI announced it had recovered a substantial portion of the ransom by following the funds across the blockchain and obtaining the private key for one of the wallets. DarkSide's infrastructure was knocked offline shortly afterward — though, in the way of ransomware groups, several of the same operators reappeared under new branding within months.
What the chronicle remembers
Colonial was the incident that made ransomware a national security issue rather than a corporate IT issue. It also exposed how thin the membrane is between boring credential hygiene and a queue of trucks at an empty gas station.