Often it is this too, because of sloppy coding, not even malicious intent. I've seen people implement JavaScript easter eggs that play a funny joke, but in doing so the developers had created a keylogger by accident that was logging everything you did on the site. Again, wasn't malicious at all they didn't think about it at all.