Until fairly recently one could set up a network analyser and watch the passwords flow in plain text.
Even today any fool with a computer and direct access to an ISPs internal network can slurp the data flow to sidejack session cookies for I'd say over half the large web service providers operating.
Once in possession of a session cookie, hackers can do anything from sending out spam email to your contacts to ordering goods on your credit card (depending on how much added security the web service provider offers).
One fact above all still surprises most non-technical people I speak to - the internet is not secure. Your data is not encrypted by default and 80-90% of what you do online can be easily tracked.
And you're at your most vulnerable at your ISP. Your ISP is your "first hop", meaning all your traffic goes through their network.
Your data is vulnerable throughout its entire journey, but other networks only catch a portion of your traffic; only your ISP sees the whole picture.