Did you receive that email after registering? The controller action processing your request would have access to the POSTed plaintext password and could pass it right into the email template before it's sent (or queued to be sent). This doesn't mean they're storing it in plaintext.

If you request a password reset and they send back your plaintext password, then they likely are.

  Notifier.new_signup(:email => params[:email], :password => params[:password]).deliver

I got it over a year later, just cancelled a flight and got an email reminding me of the credit they set me up with. My login and password were in that email, so the above scenario does not seem like what is going on.

Huh, in that case, you're probably right. Scary/disconcerting.

Just to be precise, that doesn't necessarily mean it's stored in plan text since it could be 2 way encrypted (which I would argue is at least marginally safer than plain text). Or if it's a registration, it could be added to the email prior to storing.

Also, a double whammy in exposing a user specified secret in email. That makes hacking into email considerably more valuable.

True, but 2-way encryption is only slightly less unacceptable.

Which I sort of mentioned.