Yodlee, the worldwide banking network, happily stores millions of people's BANK ACCOUNT passwords, with no interest in using a secure Auth API, and nearly no one cares.

Why should Blur care about keeping your FB credentials private?

I think the implication is that the aggregation is done server-side, so it needs your credentials there (not that that is a good idea or that sending credentials in the clear is not complete and utter incompetence).

Edit: upon closer reading, credentials were sent over a secure connection, but aggregated content was sent in the clear.