I think the vector I'd be more worried about here is that someone does a database dump of usernames & passwords, and then proceeds to use that data for credential stuffing. The hygenie of users being on average probably "not great", that would probably lead to subsequent compromise down the line, of things more valuable than the electric company's account.
But, IDK, if they're storing passwords in the clear — something so trivial to get right, and so obviously not best practice — I'd also be wondering if the user's bank account routing & account numbers aren't in that same database table…? I can imagine some damage from that.
But, IDK, if they're storing passwords in the clear — something so trivial to get right, and so obviously not best practice — I'd also be wondering if the user's bank account routing & account numbers aren't in that same database table…? I can imagine some damage from that.