The application stores passwords using weak hashing algorithms (MD5, SHA-1), without salting, or in plaintext, making them vulnerable to recovery if the database is compromised.
If the database is compromised, attackers can quickly recover user passwords, enabling account takeover across this and other services where users reuse passwords.
Use modern password hashing algorithms such as bcrypt, scrypt, or Argon2id with appropriate cost factors. Ensure unique salts are used per password. Never store passwords in plaintext or with reversible encryption.