Because now they have your login and password - not a hashed version they can only validate against, but the real thing that can be used to log into your network. They shouldn’t ever have it, aside from them being able to sell credentials this also means someone else could probably obtain access to all of them