My account ibinsad was hacked yesterday.
I think in addition to 2fa :

1. Passwords must be longer and complex, all users must reset password

2. if hacker change the email I must approve the changes to the original email, he/she must have access to the email before having total control of the account

3. Optional phone verification, send an sms before important changes.. If someone want maybe have to pay because sms are not free.

So administrator and users have not to lose their time to resume accounts