There was a github issue opened, and after several followed up complaints they blocked further commenting and the removed then ticket.
Subject of the ticket [plaid/link] privacy/security concerns (#68)
I refuse to do business with any business that uses plaid and has no sane alternative to get bank account numbers (deposit two small amounts, three days later I tell you what they are)
First time i saw it, i assumed the website had been hacked. I was actually more horrified when I found out that this was working as intended and some website wanted my bank password!
If in doubt, you should check your bank's terms of service for online banking.
I'm a bit horrified this is still a thing, too. Doing this just confirms you have the correct account and routing number, so you can deposit and withdrawal. It won't allow you to see transactions--will it?
FWIW, a minority of banks have "linked apps" that allow you to revoke access from the bank's website (some are clear they're restricting it to read-only access). But I'm not sure how consistent or widespread this kind of thing is. I doubt if you're offering a service like Plaid you could rely on only supporting these institutions.
This was my exact same impression. Even after some Googling and asking friends where I learned this was a thing, I was still very wary that it was legit.
We do use the Plaid Link widget (as do most other fintechs in the US). We don't touch credentials or handle the bank login page.
Commentary about the state of the US banking system aside, Plaid is pretty much the industry standard way to do instant bank account verifications today. However, we also have options to link with debit card and account / routing number if you're not comfortable with the Plaid route (totally understandable).
Also, it's one thing for me to let a third party withdraw money from my checking account (if I provide my account number), but that doesn't mean I want to give them the ability to do things like change my password, disable 2FA, read my transaction history, transfer money out of my other accounts, cancel my cards, and so on — which they can if they have my password. That's just insane.