While I can't speak to security, I can act as a liaison and share your thoughts with the developers. That was my intent: a bit of outreach as I knew it was a concern to some people here. Not sure about the consequent finger wagging and excoriations. Maybe I'm the most visible target, not sure, but I was hoping to take something constructive back.
If you want to take something back, here are a few questions for the developers. I think it's important for Making Fun to have satisfactory answers to these; what you share from those answers is up to you, but since you have a serious trust gap at the moment I would encourage you to be more forthright rather than less.
1. Why are plaintext passwords being written to a log file?
If the passwords were written as a debugging measure that was not supposed to remain in a public release,
2. Why was the decision made to use a method that contravenes best practices, even initially?
3. What failed in our process that this decision was NOT corrected before the public release?
4. Are there any other issues where we made a temporary decision that contravened best practices, and if so have we fixed those issues?
5. How do we know that our answer to #4 is correct? What process verifies that we didn't miss anything?
If it was not a temporary and then overlooked decision,
6. Who made that decision?
7. Is that person aware of security best practices regarding hashing passwords, etc.?
8. Why did that person decide to not follow the best practice in this case?
9. Did that person perform a risk-benefit assessment for the deviation from best practices? What were the conclusions? Was anyone else with security expertise consulted (internally or externally) to check those conclusions?
10. Are there any other issues in which best practices were not known, ignored, or intentionally deviated from? What are they? How confident are you that there are no unknown deviations?