I had exactly the same experience, and I even filed a bug in the bounty program about it 4 years ago.

In my case I was off boarded by an employer, but retained access to it on my mobile device and could read all passwords.

Their initial response was that it was by design, then later tried to pay a bounty I never accepted.