It may be other pages that are vulnerable. I know you had a lot of hand coding done. Plain text passwords are a secondary concern, but really that only becomes an issue once someone can take advantage of SQL Injection. XSS (cross site scripting) is another issue entirely. It isn't as big of a deal, but probably more widespread. You can have a company test your site for vulnerabilities and give you a report that includes pages and examples. That is probably what this person did on your site and they are just holding back the details. It is really hard to fix without details.