Don't they just save the hashes of the passwords? I thought it would be standard procedure. I mean, since the 90s at least. WTF!?

They should be held accountable for that. Too many people rely on Google, Facebook and the like also for authentication on other services.