Without HSTS browser might fall back to HTTP which would disclose passwords and sessions leading to account compromise. I'm a penetration tester / red teamer and we do this all the time.
DEFCON has been hosting a Wall of Sheep since forever. They capture and analyze traffic then publish the leaked credentials and other fun stuff. Apparently it's still going: https://www.youtube.com/watch?v=4ZabsNgMHCM . Here's your example.
DEFCON has been hosting a Wall of Sheep since forever. They capture and analyze traffic then publish the leaked credentials and other fun stuff. Apparently it's still going: https://www.youtube.com/watch?v=4ZabsNgMHCM . Here's your example.