It looks like the credentials in credentials.json are your Plaid access key/secret/etc, not your bank account username/password. If an attacker gets them, they'd have read-only access to your bank account until you rotate your Plaid creds, but they wouldn't be able to do anything as simple as logging into your bank account and transferring all your money out.
EDIT: It's actually worse than that, see comment from erichurkman below.
Careful, because Plaid also gives you access to your account's routing and account numbers [0]. I'm not sure if the way this library works gives access to those, but with a routing & account number a thief _can_ write checks, debit your account, etc.
Are routing and account numbers considered “secret”? Potentially any one of the handful of people I still write checks to could be unscrupulous and write checks, debit my account, etc., right?
I must be missing something but making fake checks, with fake banking information is a felony. What am I missing? The links don't explain how this criminal.
Yes! That’s why I recently had to go through the annoyance of changing checking accounts when someone stole the mail of one of the few vendors I still send checks to. Actually, I would have taken the risk, but my bank would not.
Yeah, good point - I figured Auth wouldn't be enabled on a free developer account, but it looks like it actually is these days: https://plaid.com/pricing.
EDIT: It's actually worse than that, see comment from erichurkman below.