Storing user names and passwords in plain text when you have several hundred thousand users is not a "honest mistake" in 2019. In other fields a commercial entity failing basic security practices can be considered criminally negligent.