Hackers behind the ransomware attack on Colonial Pipeline that took down the US’ largest fuel pipeline and caused fuel shortages across the East Coast earlier this year were able to breach the pipeline operator’s network using a compromised password, Bloomberg reported.

The attack took place on April 29 and used an unprotected virtual private network account as the point of entry, Charles Carmakal, senior vice president at cybersecurity firm Mandiant said. Initially, this VPN account was set up to allow Colonial Pipeline employees to access the network remotely. According to Carmakal, although the account was no longer in use it was still active and accessible to the hackers. The VPN account, which has since been deactivated, didn’t use multi-factor authentication.

The password for the said account was later discovered among the batch of leaked passwords on the dark web, suggesting that a Colonial employee may have used the same password on another account that was previously compromised. Carmakal said he isn’t certain that’s how hackers obtained the password. Also, it’s not clear how the hackers obtained the username for the account, or they were able to guess it on their own.

Last month, the Transportation Security Administration issued a new cybersecurity policy requiring pipeline operators to report cyberattacks to the government within 12 hours.