San Francisco-based Pacific Gas and Electric Company reportedly left a "treasure trove" database containing computers, servers, and other devices left wide open on the internet, according to security researcher Chris Vickery.
"We’re talking about IP addresses, operating systems, hostnames, locations, MAC addresses, and more," Vickery wrote in a post at MacKeeper. "This would be a treasure trove for any hostile nation-state hacking group."
Vickery said he found more than 47,000 PG&E computers and other devices completely unprotected, with no username or password. Tech Insider viewed purported screenshots of the database Vickery had downloaded, which showed one current PG&E's information technology staffer's username and password, albeit redacted.
Another shot showed an active virtual machine on the network, with redacted portions for hostname and IP address. In his post, Vickery says that when he reported the open database on May 26, the company called the data fake, which he disputes.
Related story
"It’s a quick, easy excuse when your company is caught with its pants down and, if it works, you get off free and clear. But that excuse isn’t going to work this time," he wrote. "Fictitious databases do not generally have areas specifically marked development, production, and enterprise. Fictitious databases do not generally have over 688,000 unique log record entries. This database did."
The company did not provide a spokesperson or a statement, despite repeated inquiries from Tech Insider.
Though it's worth noting that it is correct that companies often initially claim data breaches are fake, until proven otherwise. Vickery notes that "they sure took it down quickly" after being notified.
PG&E delivers natural gas and electric service to roughly 16 million people in northern and central California.
