No honest website will ever have your password, even for their own use, in plaintext. Since the mid 90s this has been the case. Passwords are immediately one-way hashed - i.e. they are encrypted in a way that no one, not even the original website, can decrypt and then stored. When you come back and log in again they take the new password you supply and encrypt it again with the same one-way has they used the first time. They determine if your password is correct by comparing the hashed values of your password, not the password it's self. This has been standard for like ever. The mere fact that they had access to passwords at all and were able to expose them in plaintext means that they are doing something nefarious in the first place and are harvesting passwords.