I can't speak for the others, but let me make clear that I am being entirely facetious. Selling data of user-provided passwords in this kind of context (an app ostensibly used to provide security) is among the worst kinds of evil. Requiring, or even allowing, users to escape from this kind of evil by paying a ransom is unconscionable.
Oh my god, this whole thread is ridiculous. I need to say that I intended my original comment as a joke. I don't think it is ethical to misuse users' data, even if it's anonymous.
Devil's advocate: how would that be better than the algorithmic approaches (weak, medium, strong indicators implemented in javascript etc).