After couple simple test with incorrect password didnt get thorugh which mean the site HAVE OUR PASSWORD, so they do have our data, login or not is nothing different.
Just dont provide new data just to withdraw the fund, this might be a flag if they really do request it.
I don't disagree with most of what you are saying but it needs to be pointed out, again, that user logins are a comparison of the result of a salted(?) and hashed password against the salt+hash stored in the DB. They are NOT decrypting your stored password to compare with what you typed. In theory this means if a rather sophisticated operation was going on (meaning BTCe had their twitter etc compromised) a bad actor could still have a functional login and NOT actually know your password (but log it when the hashes match). I am not suggesting this is what's happening and tbh I think the .nz site is most likely legit but let's not spread misinformation about how user authentication works.