[crescentfresh]

I think you're assuming the passwords were stored in readable format as a matter of design. That would get reviewed and flagged at any moderately competent tech company.

I think it was probably something more inane like a POST body being logged. That could slip through a reviewer's crack easily.

Not defending this breach in any way.

[angstrom]

Gateways filter that before internal services see anything. There's not any reason to be playing with passwords beneath the Authentication layer. Credentials should be exchanged for the customer identity and expirable nonce. If that mistake happened in the authentication/authorization layer then it becomes a big question of competence.