Exactly! Maybe they're idiots, maybe they're phishing, maybe its a site built in a day that turned out to be useful. Point is your trusting someone you don't know. Use different passwords for sites that matter.
Heuristics are bug ridden by definition. If they didn't have bugs, then they'd be algorithms.