Err, don't most company T&Cs prevent you ...
from giving your email address to a 3rd party ?
(I know they do, I have done a LOT of reading on this).
So any user that happily types their password into Facebook loses all protection ? No, it may not be fair, or nice, but the bottom line is NEVER GIVE A THIRD PARTY YOUR LOGIN CREDENTIALS.
(Incidentally, for all the sniffiness about SMS 2FA, accounts so protected would have been safe from Facebooks prying eyes).
Note also this applies to companies that "require" you to give them your Facebook/Twitter/MySpace login details.