I've not very knowledgeable on the process of building a backend API but could someone explain how sending the email's password back in an error log could ever been a good idea?
Obviously, the answer is never (unless it's for _very_ specific testing in a dev only environment).
In this case, it's not that they were sending the password directly for any reason, but instead returning the raw SMTP log from sending the email; which as a byproduct had the password in it due to needing to authenticate with the SMTP server.
Passwords in error logs are only _ever_ good if doing very, very, low level debugging of why logins aren't working right. Even then it's usually enough to just log which auth backends are touched and their result state. However it MIGHT happen if an encoding issue is suspected. Ideally never on a production system.
