Leaked password is the weak link in Colonial Pipeline breach

Leaked password is the weak link in Colonial Pipeline breach

The Colonial Pipeline hack has been one of the most talked about breaches this spring and for good reason. It shut down the largest fuel pipeline in the U.S. and led to shortages across the East Coast. It was a classic breach/steal data/demand ransom attack and in the end the hackers got what they wanted - money. 

It involved a big company, sophisticated hackers, and a whole lot of money so it's easy to think that this type of crime doesn't really apply to you. 

After nearly a month of investigation, Colonial released a statement stating that the hackers were able to remotely access their network through one leaked password, giving power to the statement -

Your cybersecurity is only as good as your weakest link.

So how did it happen? How did the hackers get that password?

Investigators say they may never know exactly how the hackers got the password, but they did find it listed inside a batch of leaked passwords on the dark web. Unfortunately, this type of situation is all too common. Let's look at this hypothetical situation to illustrate just how easy it would be for you to become the weakest link at your company. 


One day, you and a few co-workers decide to meet up after work to watch a movie. (Remember those, back in the day when we went to theatres??) It's a new release, so you need to buy advance tickets online. You create your new account using your work email and you make sure to use a really strong password like - 0iL3r$@rEth36esT. You also make sure not to save your credit card on the account because you wouldn't want that to be stolen. You feel like you've done a good job of protecting yourself against cyberattacks and identity theft.

You get to work the next day, and your company (one of the largest oil companies in Canada) understands that the risk of a cyberattack is increasing every day, so they require that you change your complex password every three months. For the first 6 months, you do a good job of creating a strong, unique password. But when month 9 rolls around you are getting tired of memorizing another difficult password. You compromise just a little and reuse your creative (and a bit witty) password: 0iL3r$@rEth36esT.

Unfortunately, in month 10 a bad actor (pun intended) has realized that millions of people also have "Popular Movie Theatre" accounts and has managed to hack their database. Maybe the hackers have posted the list on the dark web for their bad actor friends to use or maybe they are keeping it for themselves, but regardless, they are currently using that database to try to hack into your employer's system so they can demand a $$ million ransom.

They are running every leaked password through your company's system to see if one of them has been reused.

Guess who is going to be the weak link?

So what's the solution? The simplest and first step you must take to increase your cyber defence is to use a unique password for every online account you create. There is more to do of course, but if your password hygiene is poor, the rest just might not matter.

Improve your password strength with our Top Ten Tips for a Strong Password.

Want to make remembering passwords easier?

Download Stash Password Manager app on Apple or Android today.