Yes, they are being fished. I was using the term hack as a catch all. However, two factor authentication would still prevent the malicious site owners fromt aking over the accounts.
If you put on an authenticator, that code is only good for 30 seconds. Without the physical token, or if LL were to use a smartphone app which would require both a serial number and a restore code to use it, the username and password would be useless. A lot of MMO's and banking web sites have used these for years and it cuts down over 90% or more on accounts being taken by whatever means.