Yeah. There is an https endpoint, but the page renders wrong for me, so I linked the http one. I didn't look to see if the client login/registration sends plaintext over http.

Edit: It does login over http, plaintext passwords over the wire. Heh.

It is also possible they wanted to shut down this service and pretending a hacker caused damage is an easy way out.