as much as I'm sure it's not a trap it's still a pretty bad practice. In theory your site could also get hacked and people could start collecting new usernames and emails not in the database.
As I've stated several times, my site doesn't store any details like these, it uses OpenInviter, they authenticate the credentials, pull back the list of contacts, I process the list of contacts and check it against the database of EXISTING hacked email addresses. The credentials you supply and the email addresses I pull back are NOT stored anywhere.