Hard to imagine anything they could be doing with these passwords that wouldn't involve a criminal CFAA violation (leaving aside the question of whether installing the malware itself was a CFAA violation).https://motherboard.vice.com/en_us/article/pamzqk/fs-labs-flight-simulator-password-malware-drm …
Pretty sure T&C that require you to breach contract/ToS with another party are not legal or enforceable. Sharing password "voluntarily" is generally a ToS violation.