the entire concept of having the users provide their credentials to a third party for them to access their accounts to provide a service is one of those things that should be included in the anti-phishing training. i don't care if the service doesn't provide a proper API for third party access or not ESPECIALLY if it is for a cloud provided service. if it was a locally running app, i might consider it only slightly less egregious.
