If they are spies, they are taking their time to use the data for sure. I run servers with them since 2009 or so. That's 17 years.

I feel like the whole password thing was meant as a protection against SPAM or using servers for nefarious purposes as they know who's really behind every server.

Although, I can also see how real criminals would work around that easily by supplying fake identities. Sounds like one of those "why we can't have nice things". Well, at least the password I gave them 17 years ago has expired since.