Any site admin can do this. The way phishing works is it tricks you to type your username and password into a website. Because it's a fake website, they have no interest in storing the data.
A mastodon instance could be a phishing site if it wanted to and see if you're dumb enough to use the same password on the email you used to sign up to the mastodon server with.
Salting and hashing passwords is good practice if you want to protect your users, but one downside of decentralized services is if anyone can run them, then there's a lot more chance for bad actors to run them.
I've read several times that Mastodon admins can allegedly see your password, from people who used to be a part of it.
Whether that's true or not, I don't know. That there was enough to not bother with the platform.
Any site admin can do this. The way phishing works is it tricks you to type your username and password into a website. Because it's a fake website, they have no interest in storing the data.
A mastodon instance could be a phishing site if it wanted to and see if you're dumb enough to use the same password on the email you used to sign up to the mastodon server with.
Salting and hashing passwords is good practice if you want to protect your users, but one downside of decentralized services is if anyone can run them, then there's a lot more chance for bad actors to run them.