It's probably cryptographically hashed. There is no reason to keep a raw password in RAM beyond the stack frame of the function that receives it from the client - at any point after that, just store & compare the hash.
It would still be catastrophic if they had access to the hashed passwords of a big number of users. People use weak passwords and they get cracked in no time if you have just a hash.
But as I said before, that also depends on some details about the setup that we don't know from this article alone.
But as I said before, that also depends on some details about the setup that we don't know from this article alone.