This is likely part of the movement in browsers to label “almost secure” behaviors as insecure. eHarmony could be using HTTPS for their login, but serving the form for that login over HTTP. Firefox used to warn about form submissions that had a password field and were targeted to HTTP regardless of how they were served, it has recently started to also warn about password forms served over HTTP but targeted to HTTPS. A decade ago this was considered secure and fairly normal practice, but since then security researchers have shown that a clever attacker can use any number of methods to intercept the HTTP delivered form and alter it to submit to their own system.
Yes, even if all of that data is only ever handled under HTTPS if any part of their site at all is ever served over HTTP then much of that protection is lost.
