A user being phished (assumption) while not having 2FA enabled does not mean that the exchange was hacked.
BTC withdraw verification via email is not 2FA.
I do agree we must not drag the name of a company or any other service provider because we got careless and fell for a phishing scheme, we are lible for our own actions and seeing more user accounts being compromised almost everyday should be a learning point for everyone and we should add extra security to our accounts to avoid losing money or personal data leaks