> Over the past few months, our former payment provider Nexi S.p.A. (“Nexi”) requested access to private data, which we understood to be specifically the usernames and passwords of our supporters.

I must be missing something, but why is there an expectation that clear text passwords would even be known?