This type of behavior one would expect from a sketchy site so these early test results are somewhat surprising to be honest. I will be doing further testing in the next few weeks by throwing a few more honeypot accounts in different accounts created under different ip's. What I'm curious about is whether they do a bulk search for a keyword such as "SSH" across their database or do they target accounts from a certain geographic location and not touch others.

Another possible theory is that the site has a weakness and has been breached but they are just not aware of it. At this point it's a bit too early too tell though.

I encourage other people to test this on their end as well. It's actually very easy to do, spin up a vm image in the cloud, throw some test creds and see who falls for the bait. I keep a simple spreadsheet with unique usernames in one column and the service I stored those honeypot accounts in the next column. If one of those are accessed then I know for certain which services not to trust.