Passwords are already hashed. But there is an option as well to send passwords to the registered email address which I've disabled now. It's all done over SSL so no need to panic, but it's disabled now anyway.
How does it know the password to send in the email tough? Its good to disable that feature, but it points to something bad in the way the password is stored in the datastore. Usually they are stored in the db with a one way hash where the real password can not be recovered (without brute force). If its able to send the real password via email then there is a vulnerability there.