It seems like they "fixed" people being able to read the passwords by replacing the the form value with __USE_EXISTING__...

It's still trivial to automate account takeover though. Here's a PoC to take over pandora accounts on your network using MITMProxy and Tornado: https://github.com/JackWink/Pandora-Account-Takeover-Tool