It came to light that they were storing passwords in plaintext in an application log. In theory they only store hashes in places where they actually intend to store passwords.