They're not storing "plaintext." They're storing the "ciphertext." The fact that you can decrypt ciphertext to obtain plaintext, does not mean you are storing plaintext. You can certainly derive plaintext from it, but the actual plaintext, that is, the input to an encryption algorithm, is not stored.
If an attacker gets a database, but does not have access to the encryption key, they do not have your plaintext password.
-----
I agree, a more preferred way would be for MINT to use OAuth type data delegation. However, they're beholden to what the banks themselves support, and most do not support anything other than account impersonation via username/password.
They're not storing "plaintext." They're storing the "ciphertext." The fact that you can decrypt ciphertext to obtain plaintext, does not mean you are storing plaintext. You can certainly derive plaintext from it, but the actual plaintext, that is, the input to an encryption algorithm, is not stored.
If an attacker gets a database, but does not have access to the encryption key, they do not have your plaintext password.
-----
I agree, a more preferred way would be for MINT to use OAuth type data delegation. However, they're beholden to what the banks themselves support, and most do not support anything other than account impersonation via username/password.