write in a textbook and that's it .... they will understand ...

Heh) Well, let's start with the fact that "to be afraid of wolves ...".
If they want, they will find it without even sending them a report from your side.
If all this was done (as I suppose - did you still try the password from the admin panel?), really, and at least elementary channel encryption of the connection (depending on how else they interacted except ftp), but better in the complex - ala vpn / vps / vds .
I hardly think they will dig for a bug report ...
Use tickets on the site / sites (it is better to discard e-mail immediately), other contact details with the authorities: icq / IM / skype / phone number (free sms from the operator's website).
And of course, if they smell like web dev, then you can look for the Bug Tracking System, even if it is only for team developers. So to say pleasantly surprise them)
And just let them know and don’t be paranoid, such habits are appreciated and thanked from abroad not only in words.
In the Russian Federation, the maximum is - in a word, and it’s still good if it’s kind)) But no one will abuse your IP. At least serious companies..
Yes, and the issue has already been discussed from the "back side"
Comments

Maybe I was just lucky, but my attempts to report any vulnerability have NEVER been regarded as a hack. They leave without an elementary "thank you" and fix the vulnerability often, thank you even more often (I always hint at a reward), but they never tried to threaten.
Just in case, you can report the vulnerability anonymously.