I see no reason for anyone to be surprised that such sites are honeypots, it is already clear to everyone that even using this forum without adequate protection means that you have absolutely no privacy. When the forum was forced to start using Cloudflare, even the admin expressed his opinion on who was behind it.
What I meant is that Cloudflare can see your unencrypted password when you log in. It's still encrypted from the real server to Cloudflare and from Cloudflare to you. So it's not blatantly insecure except in that Cloudflare is very probably an NSA honeypot...