Yeah, Outbuilt is full of shit.
If passwords are sent to the password plain-text and then are hashed prior to transacting with the database, then Outbuilt could totally log them plain-text whenever the user logged in; which the user was evidently doing frequently.
Or, even easier and requiring no interaction from the victim user, Outbuilt could make a page where he can set the session variables of his browser session to change his username to the victim user. Then Outbuilt can control the user's account.
After this incident, Outbuilt's behavior hasn't gotten any better. He's doxed people, stolen code, and leaked his customer's programs from his new project; a shitty code authentication service.
All evidence here https://outbuilt.ooo
He certainly shouldn't be trusted, he ruins everything he touches.