If the intention here was really to steal passwords, it could also be deniability?
Uploading sensitive stuff to logging and/or analytics packages or third party providers is a surprisingly easy mistake to make – which in turn makes it an excellent avenue for plausible deniability.
It can be really hard to tell which one it was without inside information or a detailed investigation.
