Dumping tech-speak on a first-tier customer service rep, I guarantee you, will get you absolutely nothing except a boost to your internal pride meter. This needs to be communicated in another way.
The worst part is that it comes by email, which is plaintext everywhere.
However, "encrypted in a database" is not "plaintext". It's certainly not ideal or recommended, that's for sure, but it's not the worst way to handle passwords. If properly implemented, a bunch of AES encrypted passwords without a key are nearly as useless to an adversary as a bunch of bcrypt hashes.
Just don't reuse passwords (at least for accounts you care about) and it really doesn't matter.
37Signals did this on basecamp for years too. I haven't checked recently and I assume when the consolidated their authentication they probably fixed it.
It was pretty shocking to get my password in plaintext in an email from a leading web app developer. Especially after DHH's multiple beratings of developers who used authentication libraries instead of rolling their own salted password hashing, because you should really understand how your app is handling such things yourself!
I was surprised that I never saw anyone bring it up anywhere.
