Someone shouldn't do that, because a) though the poster thinks they have proof that the site doesn't hash passwords, it increasingly seems like they do, and b) the CEO isn't the person to send this to anyway.
I disagree from personal experience. On (a) if you receive an email confirming your registration that displays your password, I guess it could be hashed later but probably wasn't, right? And (b), this happened with my city's utility bill service (has a lot of my personal info) and an email to the mayor's office got it addressed. My larger point is that telling a non-technical higher-up can go a long way for things where customer service may not see the bigger problem.
I agree that if you get the password in an e-mail plain text, there could be an issue... unless your e-mail client is rendering that section using a browser... which happens to have an encrypted version of the password stored locally.
However, in Pandora's case, this isn't what is happening, and it appears they've taken pretty extensive security measures given their constraints.
Telling a non-technical higher-up there is a problem, is also a good way to get a technical person in to trouble. If it is merited, no problem, but if you are wrong, you've just rewarded good work with a load of crap. It is much more appropriate to follow up with the appropriate party and at least give them a chance to respond before sounding the klaxon.
