Troy Hunt: Your login form posts to HTTPS, but you blew it when you loaded it over HTTP
The fact that it’s loaded via https allows us to change it, in this case using a Javascript keylogger to post to another website every time a character is typed. For example: https://wiremask.eu/articles/xss-keylogger-turorial/,