I wanted to mention this because the messages in my notifications suggest the new folks might not be aware of this, but the timing is actually quite relevant: I've been working on Mastodon full-time for 4 years. Mastodon was first revealed to the public in a Show HN post around this time in 2016.
Mastodon does not store passwords in plain text. This is trivial to confirm as Mastodon is an open-source project. We use the bcrypt algorithm for one-way hashing of passwords. I can't believe someone is spreading misinformation about something so trivial to debunk.