Plain HTTP means anyone between you and the server can see those credentials and gain access.
It it using HTTP Basic Auth by chance? It would be so easy to put nginx (or some other reverse proxy with TLS) in front and just pass the authentication headers.
I was going to say this. Get a hold of the profit margins at your local national fast food chain restaurant and tell me again the profits aren’t that high. 😂