So it turns out Verizon left debug code intact on their website:
When viewing the Login source code, we can see console.log is enabled for both username and password fields:
console.log("IDToken1 else button"+$j(this).val());
There is one more username/password logging, unsure how to reach this one, but still should not be here:
There is no reason to log this in production. It serves no purpose.
I also found this, but unsure as of yet what it's intended to log:
console.log("isOfferShortLivedPassword : "+isOfferShortLivedPassword +"isUserNameOnly : "+isUserNameOnly +" onestep : "+onestep);
But really, again, console.log is great in staging, but not production.
Additionally, there are a ton of unhandled promises, and references to null variables. This really should be fixed.