What a thoughtful way to reduce the attacker's workload

from here

So not only does the plaintext password completely eliminate any security offered by storing the MD5 hash (and there isn't much there), it actually provides attackers with a tool that could be used to help crack passwords from other sites. No need to try and figure out what that MD5 hash value corresponds to - if it appears in the database detailed at Have I Been Pwned then you can just look it up.