Hi @stuarttravers I'm just a TPG customer and I can't see what the issue is? If someone has forgotten a password it makes sense to me to receive the said password to the recovery email address that was set up when the account was formed.
Plain text makes even more sense, otherwise how were you planning to decrypt it unless you once again knew the encryption password?
I see where you're coming from, most likely the email you received though was automated and wasn't seen by human eyes anyway, in effect encrypted, as it was only seen by you after logging in to your password encrypted email account, yes?
Would a model like a bank employs be secure enough? For instance I needed to bpay something yesterday that required a verification code that was sms'd to me and read off a phone screen and then entered into a field on the web page, supposedly on a https secure site?