Indeed, I think this is a modified CSRF attack. Someone can put the login link into an invisible iframe on any website, which can not only destroy someone's access to his or her account but also prompt unsuspecting newbies to deposit to a public account.
OMG can it be fixed ?
I could make it such that any time you log in using a "secret URL" link, the site pops up a warning message suggesting that you should set a username and password.
That should prevent the attack from working on people who read popup messages. But that may be quite a small percentage of people.