I'm one of the security guys at 2deg. We've been looking at this since Phillip got in touch.
The issue is on the fix list. couple of weeks hopefully
Generally the issue occurs on forgotten password, account reset from CS, or first time login.
In most cases the user should receive a OTP (24hr expiry) via sms.
Once logged in the new password is hashed etc in the backend.
Some of the other things mentioned were:
External audit.... We do engaged a third party #notanaccountingfirm to review the security of these servers and other elements across the 2deg infrastructure regularly.
PCI... I'll leave it to a QSA to decide what is in/out of scope however no customer CC data traverses or passes through these web servers. I'm not a web guru but the standard iframe setup is used with a backend validation system based off token.
We use equipment made be large asian vendors... I can neither confirm nor deny that both Nth american and asian vendors are involved in 2deg, nor can I confirm nor deny the level of trust we afford either :-)
If you are hashing it on the backend how can you get it back to clear text in the js?
Unless you are using an algorithm that can be decrypted but that basically makes your hashing useless?