""While the entertainer in question likely considers this password collection to be a harmless personalized promotional activity, there may indeed be legal implication of both the fans’ and the entertainer’s conduct," Andrea Matwyshyn, a law professor at Northeastern University, told Ars.
Regardless of the legalities, Matwyshyn added that this is simply not a very smart practice.
"From a security standpoint, the promotion’s structure needlessly exposes both fans and the entertainer to risk," she e-mailed. "Encouraging fans to engage in bad password practices and to expose themselves to increased risk of identity theft is not looking out for fans’ best interests. Password hoarding also places a bullseye on the entertainer as an attractive target for malicious attackers, further potentially placing fans at risk.""