Verifying a user's email by collecting their password is ineffective for users with 2FA enabled and reckless/malicious for those (the majority) without it.
Accidentally log that data somewhere, and you've opened a way for attackers to take over your users bank accounts, social media, and pretty much every other online account, as they all rely on email verification.
If we had privacy laws with teeth, somebody at FB would be calculating how many millions in liability each piece of data collected represents. This one would be astronomical and an automatic "no" by those calculations.
Accidentally log that data somewhere, and you've opened a way for attackers to take over your users bank accounts, social media, and pretty much every other online account, as they all rely on email verification.
If we had privacy laws with teeth, somebody at FB would be calculating how many millions in liability each piece of data collected represents. This one would be astronomical and an automatic "no" by those calculations.