Guys, on Telegram groups I'm reading about various people who got their Bittrex accounts hacked despite using the 2FA, is it true?!
Its impossible. They don't know what a hack is. Ask them if they enabled their API? If it is then they dont realize that its a key to their account and if someone got hold on it then they can use their account. They just don't understand what an API means and what it can do.
Very simple, don't enable your API.
It's not necessarily a hack, it's a phish. The fake site asks the user for their login and 2FA, then says it failed, wait a few minutes then try again; then when the user tries again, it uses the second 2FA code to withdraw funds. No API required for this, it can be done by front-end HTTP requests.
Quite sophisticated phishing hack, but it's definitely possible (as that is what is happening).