The specifics of it escape me at this point. My guess is that it was a hash of the incorrect password. That wasn't necessarily the security risk, but it did spark my curiosity that led to the rest.
I reported a similar issue in GitLab a while back where an incorrect password, entered in the login form, was echoed back to the user in the registration form! IIRC the registration form was picking up on the validation failure in the login form and filling itself in with the submitted form details.
That's extremely bizarre.