colonial pipeline ransomware

15 billion passwords are for sale on the dark web. Some of them belong to you. Multi-factor authentication renders those stolen passwords useless even if they’re still valid in your system.

When a breach changes the way people live their ordinary lives, they notice. And they remember. That is why the word “colonial” is going to resonate for a long time with East Coasters, especially the ones who couldn’t get gas to get to work or pick up their kids. It will be years until Colonial Pipeline’s name is no longer synonymous in the public’s mind with gas lines and ransomware.

The hackers used a compromised Colonial password to gain access to an old VPN account that was longer in use. Researchers suspect the password was bought on the dark web, because it was discovered in a batch of passwords for sale there, but it could have been obtained some other way, such as through a disgruntled insider, an undiscovered hack, or the use of password cracking software. To paraphrase a line in Jurassic Park, leaks will find a way.

Cybersecurity professionals don’t like to point fingers. Every time a breach makes headlines, they know it could have been their own company’s name in the headlines. After all, how many enterprises can say with confidence that their organizations are fully sanitized against zombie VPN accounts, over-privileged access, and inadequate password rules? Very few, although it’s not for lack of trying. In dynamic infrastructures that connect via APIs to hundreds or thousands of third-parties, controlling endpoints is like squeezing Jell-o. And now that so much of the workforce is remote and using whatever device is convenient—whether that’s a personal laptop, a spouse’s tablet, or a kid’s gaming system—the challenge is even greater.

So the first problem to solve for is not endpoint protection: it’s access control.

The Threat That Will Not Die

Poor password hygiene has been the source of other new-making attacks as well. The Oldsmar breach, where chemical levels in a Florida water treatment plant were sabotaged, was traced back to a remote access tool password that was shared among multiple employees. And it’s not just utility company employees who mishandle passwords. It’s all of us. According to Verizon Data Breach Investigations, compromised and weak passwords are the source of 81 percent of breaches.

That shouldn’t be surprising, considering that 15 billion passwords are for sale on the dark web. They’re sold in batches, and the people who buy them feed them into automation that tries each one against a targeted site. For instance, if a hacker buys passwords that belong to Widget Corporation, they can then associate those passwords with Widget Corporation usernames acquired by buying them elsewhere on the dark web, harvesting them from another attack, or simply scraping them from legitimate sites like LinkedIn. Then they can program their software to try the compromised passwords in combination with each username until it hits on the right set of credentials and the door swings open.

Stop the Barbarians at the Gate

A frustrating aspect of the Colonial attack is how easy it would have been to prevent. If Colonial had been using multi-factor authentication (MFA), that compromised password would have been useless to attackers.

MFA provides a high level of security without impeding productivity. Users validate their credentials with a second or third form of authentication, such as a one-time password, software token, security question, biometric, etc. Some innovative MFA methods are even based on behavioral patterns and are completely invisible to the user.

If Colonial had been using a time-based one-time password, or TOTP, its recent attack could not have happened. TOTP requires the user to complete their access request with a temporary code typically delivered to their phone. TOTPs are produced by algorithms based on a shared secret key and current time stamp. They change every 30 to 60 seconds, making them extremely resistant to theft. In the case of Colonial, TOTP would have prevented the breach because even though the attackers had a working password, they would not have had control of the phone number associated with it.

Shared passwords continue to be a problem and were the root cause of the breach at the Florida water treatment plant. Adaptive behavioral MFA could have prevented this breach because it doesn’t just check the user at the time of log in—it is constantly checking to be sure they are the person whose credentials were used to access the system. So even if a user logs into the network for another user or if a random person tries to use an unattended logged-in computer, the MFA system will recognize that the user’s behavior doesn’t match the credentials and can cut off their access.

An example of behavioral MFA is biometric typing. Everyone has a unique style of typing. Some press certain keys harder than others, some can never find the Z key, and so on. Biometric typing tracks keyboard activity and compares it to the user’s known typing style. If the user changes their style, maybe by learning where the Z key is, the biometric system learns with them, so it is always up to date and the user is never locked out. An MFA solution using biometrics, whether physical or behavioral, would have prevented the Florida water treatment system breach because even though all the users were sharing one set of credentials, they could not have all shared one typing style. For that matter, they could also not have shared one fingerprint, so a physical biometric, such as a fingerprint scan fed into an authentication app on users’ phones, would have prevented this attack as well.

These are just two examples of how particular methods of MFA would have prevented these breaches. However, any form of MFA would have had the same effect: preventing unauthorized users from accessing the systems.

Flexible MFA for Business of All Sizes in the OptimalCloud

In the early days of MFA, CTOs and CISOs understood the benefits but were concerned that requiring an extra step to log in would hinder productivity and irritate users. That’s no longer the case: modern MFA is easy to use, and users today better understand the need for additional measures to protect their companies (and therefore, their jobs).

OptimalIdM offers a wide range of MFA methods, including behavioral, biometric, TOTP, SMS, and email-based. Businesses can decide how to configure access in a way that makes sense for them – for instance, a financial services company might not want its temp workers logging in off-hours or from personal devices, so it can choose email-based MFA for those users while still allowing biometric MFA for its executives. And policy-based conditions can be applied to all access requests, giving businesses a fine-grained level of control over who can get into the network or into certain applications once they’re inside.

Businesses can even get authentication-as-a-service with the Optimal Authentication Service (OAS). OAS allows businesses to implement their choice of MFA solutions for both their web apps and their standalone apps. OAS delivers push notifications to users’ registered mobile devices in the form of TOTP, traditional one-time passwords, SMS messages, voice calls, or emails. OAS can also be used to provide passwordless access to applications by using the mobile device’s native push authentication.

MFA is included in the Optimal IdM OptimalCloud solution. The OptimalCloud is a complete Identity-as-a-Service (IDaaS) solution with delegated administration and workflow capabilities that can be customized to meet your unique needs. The OptimalCloud offers businesses of any size options that support corporate security and compliance restrictions. Built-in cloud reporting and analytics provide a real-time audit record of all activity. Priced in affordable tiers, the OptimalCloud is an effective solution that will fit your budget and solve your password problem. Visit to learn more.


  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.