Would it? They do this sort of thing constantly. Recently Facebook was accused of trying to acquire a malware company to get at user data after iOS security restrictions became tighter. They were also accessing people’s email accounts after requiring their email passwords for login to facebook
Technically, you only get legal issues if you do anything bad with the stolen passwords, but it'd totally be a PR disaster so they wouldn't do it anyways.
Since passwords are GDPR protected data, just saving them (and not using them) without consent is at least a breach of GDPR and illegal in most EU member states.
Theoretically nothing but it'd probably be a PR disaster even for a site like Facebook if people found out it was trying to steal their passwords. (Is that even legal?)
