I wonder how many sites will bother checking for Spanish pornpasses. Seems they’re just playing people and waiting for the inevitable, “Turns out the Internet isn’t respecting our kids, we need to ratchet up the control. We tried to give you a good deal though, right?”
From what I can find, by “These routers send your credentials in plaintext”, they actually meant to say, “The mobile app sends credentials in plaintext.”
If you use the web interface then your credentials are not sent in plaintext. The routers themselves also don’t send credentials in plaintext.
The people who found this out got that wrong, and a lot of people are confused because they didn’t expand on “in plaintext.” They could be a little more professional / thoughtful.
Edit: I’m also thinking about the “may expose you to a MITM” bit. I think if it was https then a MITM (assuming all they can do is examine your packets) wouldn’t work because the data can only be unlocked by the private key. It sounds like it was an http connection?