The list of "who owns which hashes" must be stored on their servers, even if it's not the "same" server. Otherwise I would have to manually transfer my hashes from one computer to another.
Well, OK, but that data can also be convergently encrypted, so you only have to transfer the hash, not the whole list. But your point is well taken. If you can get your data from a different machine with nothing but a user name and password, that's probably a security hole.