Mostly because your account login is set in the clear (people could see your username and password), when you login/connect.
Also, as the push to get SSL everywhere continues, people are going to experience the web browsers less cooperative on user logins (on websites not SSL). Chrome has announced that the current Chrome Beta version (destined to be version 56) will be very clear post any password or credit card fields that are not on an SSL webpage.
It will probably reach a point in the near future that browsers (and other internet software apps) will make the user jump through additional steps access accounts (username and passwords) and credit card fields if the site is not encrypted. (I am not real thrilled that browsers are forcing changes instead of people changing themselves).
Biggest push is because people use the same username and password across many different websites and the bad guys know it . Just look to Yahoo finally admitting 1 Billion accounts compromised in 2013 and 500 Million compromised in 2014. Guarantee that many of those accounts use the same username and password at Yahoo as they use on Amazon, their credit cards, banks and medical sites.