I think it would be very rare that people would put two and two together to realize that their password had been “stolen” by this event. Like I say, I have no real idea even if it is being stolen, just that it would be trivial for .ml to decide that they wanted to start keeping a little cache of everyone’s admin email addresses and passwords.
Like someone else said, if it was anyplace other than lemmy.ml, I wouldn’t give it a second thought, it would just be “whoa you gotta fix this.” I sort of agree with you that there’s not even really any strong indication that there’s anything all that bad they could do with it. It’s only because lemmy.ml moderation actions already have such a pattern of authoritarian dishonesty that I get to any degree paranoid or alarmed about it.