We had an incident where some of our managers were given passwords for the people they supervise using a particular company website. Ostensibly it was done so the managers could check in on the users and see that they're doing what they've been directed to do with this third party website.
When I found out that a list of the passwords were printed out and given to the managers, I immediately thought that the passwords on the commercial website weren't being stored in a secure fashion and warned users that they should immediately change any passwords that nearly matched their "throwaway" accounts; I'm also afraid that, being typical humans, there are a number of people that used the same password on that site that they use with our internal password system so they didn't need to remember more than one password. I was also shocked that the users weren't warned that their passwords would be distributed to other people/supervisors.
I went to the website in question and clicked on their privacy policy link; it returned a 404 error.
Was I being paranoid?
What are the chances that the commercial website is storing their passwords in the clear if a manager is able to retrieve a plaintext list of passwords?