[hasty]

That doesn't mean it's stored in plain text. They could be storing a nice hash, and then when the crawler finds your email and password on some site some where, it could try to hash it as if you were logging in and see if it matches.

[ummonk]

Salting (which they absolutely should be doing precisely to make mass dictionary attacks computationally expensive) would make that infeasible.

More likely they're just checking against the stolen passwords database whenever the user logs in, as passwords are typically submitted in plain text.

[hasty]

Salting doesn't matter in this case. They're not finding a list of free-floating passwords and then seeing if anyone has that password; they're finding a list of accounts and associated passwords. So they only have to check that particular combination, just as they would for a regular login.

[ummonk]

D’oh you’re right.

[jart]

Do you know how computationally expensive it is to hash passwords?

[hasty]

It's computationally expensive to hash every single possible password, but given a proposed login/password combo, it's not expensive to check just the one. If Google, in crawling, finds a dump of several million accounts and their purported passwords, it's not a heavy lift to check each password.