I understand this is somewhat my privilege speaking here, but I don't think I could continue working at a company that didn't do something as basic as hashing passwords (and refused to prioritize fixing that as soon as I pointed it out). It's a massive ethical, if not legal (IANAL), liability -- and a huge breach of users' trust. It's 2021, hashing user passwords is astonishingly easy; I can't imagine any remotely justifiable excuse for something like that.
For what it's worth, the European Union Agency for Cybersecurity publishes recommendations[0] for measures that digital services should implement to fulfil their responsibilities under the GDPR. One of the recommendations, K.6 is:
> User passwords must be stored in a “hashed” form.
These guidelines aren't legal requirements for every service, but if a data breach occurred, and passwords were leaked, regulators would presumably point to this recommendation, and the ease of complying with it, and take that into consideration when issuing a fine.
I understand this is somewhat my privilege speaking here, but I don't think I could continue working at a company that didn't do something as basic as hashing passwords (and refused to prioritize fixing that as soon as I pointed it out). It's a massive ethical, if not legal (IANAL), liability -- and a huge breach of users' trust. It's 2021, hashing user passwords is astonishingly easy; I can't imagine any remotely justifiable excuse for something like that.