Not to beat a dead horse here (ok, fine I will) but this is some basic stuff. If they don't even have this covered, the more advanced solutions are likely way beyond them.
Considering that there was a hack at Sony for example that exposed plaintext passwords as well via SQL injection (among many other things of this nature) they can't claim ignorance of the problem.
It was a yuuuuuuge shitstorm for Sony at the time.
Earlier discussion: https://news.ycombinator.com/item?id=16776347
The original thread is here:
https://twitter.com/tmobileat/status/981418339653300224
For clarity, this is T-Mobile Austria.