So you had $40K in your account and you didn't even set up 2FA?
Without 2FA there are so many ways an attacker can obtain your password.
Without 2FA there are so many ways an attacker can obtain your password.
If they have a thief inside a company, 2FA also will be hacked.
So tell me please the way how hackers can obtain my password, exluding trojan, and fishing? the only way to obtain my password from outside to hack https of btc-e?
Maybe your 2FA device has a virus and the hacker can able to obtain the code. Contact agatin the btc-e support, only they can help you.
2FA alone is not enough--every service that holds cryptocurrency should require verification via email combined with 2FA authentication (this is what Poloniex does). Withdrawals should require the same.
Any service that runs without these basic features is just asking for money to be stolen.
btc-e does require email verification for withdrawals. Which is why this is probably OPs funds being stolen:
So its more a case of unauthorized trades rather than OP's claim that "40 000 USD was stolen".
I guess it serves as a great lesson on why bothering to learn about 2FA (which takes about 2-3 minutes) could save your account from unauthorized access. Just because a mobile can also be hacked it doesn't make it any less useful of a security feature.
Another question I have is what email address/username was used in this situation, is it one that is shared among other websites of the same nature or was it a unique email address that was never actually used for email purposes?
If your email address even shows up on a Google search that means it is vulnerable. You should have a unique, unknown, unused (besides verification and sign up) email address/username that is not listed on any search engine to maximize security. If you don't have a unique username then you should have a super common one that shows up everywhere.