Good question, but perhaps it's shorthand for "your password generates a hash matching that generated by passwords found in various stolen password lists in circulation".

In which case they're not hashing the password properly, they're likely checking the plaintext password as it's sent over HTTPS.

They do not need to transmit plaintext passwords, they merely need to pick when and how to salt each password carefully.

What they can't do is randomly salt each stored password.