This is just a quick thought I had at work today -- actually, I had it in November, but just got around to posting it now. Common story, but eh?
Anyway, I was having trouble logging into our issue-tracking solution
My point? If you're an attacker and want to collect passwords for internal systems, even if you only have hashes, replace the passwords and start logging requests. I'll bet people try the same password twice, then a couple others. Suddenly, you have a bunch of passwords to try on other systems. You might even get a couple varied usernames.
Of course, that can be considered evil. But eh?