It all came down to one password. That's the finding of a cybersecurity expert commissioned by Colonial Pipeline to find out how hackers were able to shut down the nation's largest fuel pipeline, reports Bloomberg. According to Charles Carmakal of Mandiant, part of the FireEye cybersecurity firm, hackers believed to be tied to the DarkSide cybercrime group used just one compromised password over a virtual private network (VPN), accessing Colonial's servers on April 29 through an account that was no longer being used but that could still access the company's networks. Carmakal notes the password in question was also found among other leaked passwords on the dark web, suggesting the password had been used on another hacked account by the worker who once used the dormant Colonial account. Carmakal adds, however, that he's not 100% sure the dark web was the source of the password in this particular attack, noting that source may never be discovered.
Even after a "pretty exhaustive search," Carmakal notes it's also not clear how the hackers got their hands on the compromised username that went along with the password, as they could've found that in a leak or simply experimented until they came up with it on their own. What's worrisome from a cybersecurity POV is that the now-deactivated VPN account didn't take advantage of multifactor authentication, a basic layer of protection that would've required more than just a username and password to access the network. A source tells CNN that, on the day Colonial reported the breach, the company's "door was wide open." CEO Joseph Blount says that after the company received a ransom note from the hackers, the company had "no choice" but to shut the pipeline down, as "we had no idea who was attacking us or what their motives were." The company also ended up paying the hackers a $4.4 million ransom, with Blount noting, "It was the right thing to do for the country." (Read more Colonial Pipeline stories.)