One (unlikely) danger is that these unencrypted email password reminders could be intercepted and used by crooks. But the bigger issue is that the method implies that the grocer stores password hashes in an unsalted format. If there was any kind of breach that exposed these password hashes then the corresponding plain text passwords can be extracted from the stored hashes using a brute force attack and rainbow lookup tables.
Not to be too pedantic, but these aren't hashes. Hashes are one way (salted or otherwise), these would actually be encrypted passwords. How is it the Reg calls hashes encrypted passwords, but when they could use the right term (even if by accident) they still cock it up.
Pales in comparison to the cock-up by Tesco though. When it comes to security every little helps
Getting me coat