An anonymous independent researcher found millions of utility customers’ passwords had previously been stored in plaintext.

The researcher noticed more than 80 websites designed by the Atlanta firm SEDC offered users the option to email, not reset, lost account passwords to forgetful users, according to a report by ARS Technica.

According to estimates from GIS data and the utility companies, 15 million or so clients were affected by this practice and potentially several times more may be at risk as the SEDC site claims more than 250 utility companies use the software.

The researcher reached out to the company to inform them of the risks associated with storing plaintext passwords to which the firm suggested the problem wasn’t a security issue.

SEDC Fellow Jimmy Autry told SC Media there was a miscommunication with earlier reports and said the issue was addressed back in December 2018, although some utility companies haven’t updated their online instructions to reflect the changes.

Autry said despite some instructions still saying passwords will be resent, customers are actually redirected to a page where they are instructed to reset their passwords and that it has been this way since December 2018. In addition, SEDC is in the process of salting and hashing passwords, explaining that everything is currently PCI compliant and the database is fully encrypted.

Autry said even if someone were to use a cleartext password sent to them they would be able to see a user’s utility usage but wouldn’t be able to access personally identifiable information or payment information.