The worst thing that can happen here is that somebody connects to your wifi.
Unless a negligible amount of the 4 million users accidentally reused the password for other services as well. Which probably makes 3.9 million victims.
Also, as pointed out by others, this doesn't mean it's stored in plain text.
That does not matter much. If FON can extract it, an attacker can extract it as well, thus rendering it insecure.
That would be accurate if the article did not state that he used the "Forgotten password" feature to recover his password. Also, sending a password unencrypted over email even before database storage is just as concerning. What if I fat-fingered my email address?
That's right. In this case they have it in a recoverable format somewhere (symmetric encryption is not as useless as many seem to think). Thanks for pointing it out, I thing I skimmed that part this morning.
However, it is still just your wifi connection which has to be locally accessed still and not ultra-secret password. IMO the policy is not problematic and it can save you the need to write it down somewhere, which for a local-only resource might be a worse alternative.
Unless a negligible amount of the 4 million users accidentally reused the password for other services as well. Which probably makes 3.9 million victims.
Also, as pointed out by others, this doesn't mean it's stored in plain text.
That does not matter much. If FON can extract it, an attacker can extract it as well, thus rendering it insecure.