Disagree, they are hiding the fact by assuming ignorance of most users. A true “link” , would use something like OAuth to have the bank handle authentication and provide explicitly scoped subset of consumer data to Plaid. Instead they are taking the plaintext password and getting total access. Just taking that passwords itself is a security vulnerability. Google doesn’t even know your Gmail password, just the hash, but since Plaid can’t use a password hash to login, it must store your plaintext password to your financial accounts, some of THE most sensitive data. Furthemore they have access to way more data than they should rather than clearly defined scoped subsets of it.

The whole company is a privacy and security disaster. Of course it’s annoying that banks don’t provide reasonable OAuth APIs, but Plaid “disrupts” that by deceiving consumers into dangerous security vulnerabilities with their most sensitive personal data.

You speak idealistically, but the reality is that many of these banks did not having open banking standards nor APIs before. The scraping led to this movement and FSAs all over the world are starting to push for no scraping while financial institutions create APIs and contracts with these platforms.

The fact is pretty much hidden. I tried to link my Toshl (a budget app) account to my bank, to import automatically my movements. I saw that they were using Plaid, and I found that weird. I went to search the page you linked, and I still didn't know how was it connecting to my bank. I used an "application password" with limited permissions from my bank to use with Plaid, and funnily enough it didn't work. In fact, my bank locked my account because Plaid tried to login through the regular user interface with a wrong password several times. It was only then when I saw in forums and such that what Plaid does is to scrape HTML.

When you use Plaid, you don't get the impression that's what they're doing. We're used to dialogs to "give permissions to an app" that don't share our user/password with anybody. Plaid purposefully emulates those dialogs and gives you the impression that you're just logging in with your bank, instead of explicitly telling you "we will store your user and password and use that to log-i with your bank".

"link" to me implies something along the lines of a FB/Google/GitHub OAuth login, not that they steal my credentials.

I guess technically they just say, "you will be prompted to enter the username and password associated with those accounts" and don't specify that they (Plaid) will be using your credentials, but I don't think it's clear enough that you are giving your credentials away!