An electric company was in for a shock when a database containing sensitive information was found online. The database, belonging to  (PG&E), was part of an asset management system, containing information on a wide array of devices belonging to the company, although PG&E denies the authenticity of the data.

Security Week reports that the PG&E database was publically available online, and could have been accessed by anyone without authentication. The system contained information on around 47,000 devices, including computers, servers, and virtual machines. Among the available data, one could find IP addresses, MAC addresses, hostnames, and of course, passwords; many passwords were hashed, but others were stored in clear text.

The exposed database was discovered through the investigations of Chris Vickery at MacKeeper’s Security Watch. Upon its discovery, he alerted PG&E, which insisted that the database was entirely fake. However, Vickery is skeptical of the claim, noting that “fictitious databases do not generally have areas specifically marked ‘development,’ ‘production,’ and ‘enterprise.’ Fictitious databases do not generally have over 688,000 unique log record entries. This database did.”

Whether or not it was a fake database, it has already been taken down, following Vickery reporting it to PG&E. However, that would not stop anyone who managed to access it earlier from copying all the data.

PG&E has not yet notified customers, but Vickery is trying to reach out to the Department of Homeland Security to determine if the database is legitimate and take any appropriate actions.

photo credit: No way home via photopin (license)