@luna I don’t think it mattered here how exactly the password was determined – the ruling is based solely on the fact that a password exists, completely ignoring how easily it could be found. Even if the vendor failed to use TLS for that MySQL connection and is sending everything in plain text, looking around in that database to determine that it isn’t only your data would still be considered a law violation.
I hope that a higher court instance will produce a more sensible definition of “protection.”