While the online world is beefing up security systems with encryption and two-factor authentication to keep the hackers out, Frontier Communications’ e-mail password system harkens back to an earlier, innocent era when passwords were stored as plain text in a database practically anyone could access.

In this instance, “anyone” turned out to be a Frontier tech support agent named “Shawn,” moonlighting as Frontier’s living password reset system.

Ars Technica shares the surprising story of Andrew Silverman, a Frontier customer in Washington state who needed to reset his forgotten e-mail password. As Stop the Cap! first shared with our readers back in April, the company dumped most of its online web-based self-service functions after the company couldn’t get them to work properly.

Customers like Silverman who need their password reset now have to chat or call Frontier’s technical support. While inconvenient, Silverman was surprised to learn “Shawn” was able to get access to and share his existing password from Frontier’s customer relationship management system:

Shawn asked Silverman for some basic pieces of information—his account number or landline number, the e-mail address he was having trouble with, and the last four digits of his Social Security number. The Frontier employee then asked Silverman what password he tried to type in.

“I’m not comfortable giving out passwords. Is there a password reset page?” Silverman asked.

“I’m sorry there isn’t,” Shawn replied. “Are you OK with me posting the password in chat? It is a secure network and I have the password in front of me.”

Silverman’s password was easy to find because Frontier is storing that information in plain text format, a potentially enormous security risk. Security experts say storing passwords in a plain text format, even if access is limited to customer service representatives, make them vulnerable to hacking. A single disgruntled employee or unknown security hole in a Frontier support center could theoretically expose millions of Frontier customers to password theft. The fact Frontier also e-mails transcripts of customer chat sessions to customers also represents a potential security risk. In Silverman’s case, Frontier helpfully obscured his account number, but not his password.

Ars confirmed with Frontier the company currently lacks an online e-mail password reset system and the online chat or telephone support representatives handle password issues as Silverman described. Frontier also maintains a billing portal which appears to function independently. The billing portal does have a self-service password reset function. But the additional security there might not help if you use the same password for e-mail and account information.

A Frontier spokesperson downplayed the security risk of plain text password storage.

“Customer service reps do not have access, only tech support does and it is only revealed once the customer has provided the security code to verify identity,” the representative told Ars. “Account modification logs are kept to ensure the company knows who accessed the information.”

Ironically, after disclosing Silverman’s password, the representative shifted the call to sell him on the merits of Frontier Secure, Frontier’s antivirus, identity theft, and computer support protection suite that promises to deliver customers “peace of mind” from “hackers that can steal your identity, hijack your equipment and bombard you with malware, viruses and worse.”

Silverman declined.