That’s definitely a potential issue. Would be cool if the users’ incentives could be set up in a way that prevent the information from getting outdated.
Kind of off topic but that site also shows sites that email users their password when they create the account. That does not necessarily mean they store it plain text. Though the kind of devs that would send the password in email are likely to store it in plain text, but it's not necessary.
If you send the password in email, that's at least one instance where it was readable in clear text to everyone on the network between you and the server (and probably things like packet sniffers on the local network, right?). It's not as bad as storing it in the clear, but it removes some of the value of (e.g.) hosting a login page via SSL.
Shouldn't email plaintext passwords, ever. Email is not a secure way of communication. Users wouldn't delete their email. Admins can read their email from the server.
A password reset link that emails a temporary password is OK in my opinion (not ideal, but a tradeoff for password resets, and perfectly fine if the site actually forces a change on logging in with it), but "Thanks for registering, your password is foo" is not, as then the user has to change it (and some exceptionally bad sites may then email them that password as well).
It does mean that passwords aren't properly hashed. They may be encrypted, but that still leaves open the possibility for an engineer or attacker to have access to plain text passwords.
No, it does not. You can receive the password, email it to creator, hash it, and then store it. It's not ideal because you now expose it in plaintext in the original email, but you aren't storing plaintext.
