Here are some extra details on what happened yesterday.
Here is the MyBroadband article for context.
At 12pm 7 September a colleague of mine received the email from eThekwini, and told me the password was in plain text.
Presumably they were staging emails because at at 4:31pm 7 September I received the same email. The password was in plain-text, and was my actual password, not a newly generated one.
This means they were either storing the passwords in plain-text, or encrypting them and storing that – both of which are obviously bad, because if they can decrypt it, chances are so can someone else.