The company People's Energy has contacted all its 270,000 current customers, following a data breach.
Co-founder Karin Sode told BBC News an entire database had been stolen by hackers and included information on previous customers.
Data stolen included names, addresses, dates of birth, phone numbers, tariff and energy meter IDs, she said.
But with the exception of that of 15 small-business customers, no financial information had been accessed.
Those businesses' bank accounts and sort codes had been accessed, Ms Sode said.
And they had been contacted separately by phone.
Most of those affected are unlikely to face any direct financial risk.
But having their data stolen may leave them more vulnerable to phishing attacks - where a criminal pretends to be from an official source to try to obtain other information, often using what they already have to sound credible.
The breach was discovered on Wednesday morning.
And People's Energy has contacted the Information Commissioner's Office, the National Centre for Cyber-Security, the energy regulator Ofgem and the police.
Based in Edinburgh, the company also has customers in England and Wales.
Ms Sode said it was investigating the breach and had called in independent experts but so far had no information about the identity of the hackers.
She and David Pike founded People's Energy, in August 2017, with a commitment to sustainable energy and returning 75% of all profits to customers.
"This is a big blow in every way," Ms Sode said on Thursday.
"We want people to feel they can trust us.
"This was not part of the plan."
"We're upset and sorry."