Used a sportsbook a few years ago where the popup to view and update your account details, which had a hidden address bar in most browsers, contained "password=<yourpassword>" in the query string. I reported it but they assured me they were 'using encryption' and to look for the 'lock in my browser'. They were using SSL, but had no clue. The site probably handled millions of $ a week.