[SpikedCola]

This is something that absolutely blows my mind. The bank's terms of service say you can't hand over your password to anyone, and here is Plaid asking users for their login information! I can't understand how they can ask users to breach terms of service, and have gotten so far.

[sangnoir]

I was dubious while doing it - and I gave Plaid access to my settling account. I consoled myself that they wouldn't have by income, but then realized they had a copy of my financial information on spending, which is equally bad, or worse than just income. I ought to have been more vigilant - I unfortunately fell into the trap of thinking that banks are slow-moving and reluctant to develop API access.

I will never sign up for a service that requires Plaid.

[chrisseaton]

Why isn't it done through a proper API that you grant them a token for?

And how do Plaid bypass your bank's per-login 2FA if they're logging in as is they were a user?

[pbreit]

Because not many banks have such an API.

Plaid just relays the 2FA question.

I think websites would have a tough time preventing users from sharing username/password. It would certainly be acceptable in a power of attorney situation.

[jjeaff]

Not only do they relay the login and 2fa information, they even show the login as a window with company colors and branding as if you were logging in to your bank directly.