I would wager they've done a "forgotten password" action and were sent their original password, always a dead givaway. Doesn't mean they're not encrypted in the database, but that's not good enough either.