Because we've known about credential reuse for 20+ years, developed multiple means to keep a site secure when it happens and then chose to not employ those security measures on data people broadly consider incredibly sensitive.
It is your job as a service provider to not allow access to anyone but the authorized user, how you do it is an implementation detail. You can't throw up your hands and say "well we decided that doing that is too hard so we're defining the authorized user
as anyone who knows the password."
It is your job as a service provider to not allow access to anyone but the authorized user, how you do it is an implementation detail. You can't throw up your hands and say "well we decided that doing that is too hard so we're defining the authorized user as anyone who knows the password."