are you familiar with the new man in the middle attacks?
For example, if i wrote a PHP script that asks for your VM username and password all i have to do when you submit it is make an HTTP call to the real site and I'll know in seconds if what you entered was right or fake.
No need to already know something you have just told me. I can check if its right or wrong pretty easy
Appreciate that obvious explanation, didn't realise it was as simple as a http request. I've seen similar sophisticated attacks where they use 3rd party verification tools for details such as bank accounts had no idea MiTM had got so easy