Library Elf is a service that does things like send reminders before books are due, to avoid overdue fees. It's compatible with Wellington City Libraries.
It hasn't been working for a while, but emailed me today saying it's working again. I went to delete my account, because I haven't been into a library since I got my Kindle. I didn't remember my password, so I used the "forgot password" function.
Library Elf emailed me my password. This shows that they store the actual password, rather than best practice of storing a secure hash. It's possible that they store the password unencrypted in a database, but the only way to work that out would be with system access. Either way it means user passwords are more vulnerable than they should be.
I don't know how Library Elf knows about Wellington Library (WL) loans. It could be that I gave them my WL password so they can log in as me. Maybe WL has provided an integration point for Library Elf. It potentially adds to the risk.
I'll point this out to Library Elf. I don't think Wellington Libraries are directly associated, but if anyone wants to tell them please go ahead.