Are you serious that it sends your SSID and password to an external server in plaintext? That is so far beyond stupid as to be malicious.
The linked article says that the PCB has provision for measuring power consumption.
My money is on the ESP software sending the data back to the "mothership" where it needs some kind of unique identifier to distinguish between one user and another, and which can be linked back to a specific customer. So the database on the external server uses MAC+SSID+PASSWORD as a unique identifier which correlates to Ecobox+customer.
The problem started when they decided to flog the remainder of their stock with no power monitoring to Home Depot, but couldn't be arsed fixing the software...