Just a thought. Before being allowed to withdraw any funds, why don't exchanges ask for another different password or confirmation via email?
When logging into Bittrex, bittrex send an email in case you didn't log in. That only work if one is online and watching their email account. It doesn't take long for a scammer to change the password.
This wouldn't really help that much as the hackers are using low volume coins to trade your funds away by buying high and selling low to accounts that they control.