A user being phished (assumption) while not having 2FA enabled does not mean that the exchange was hacked.
BTC withdraw verification via email is not 2FA.
If you are using a second device for that email, like your smartphone, than counting as 2FA.
A banking app on same desktop for TAN verifications, that surely isn't second factor but a local bank in my area told me it's OKAY. I answered THANKS.
No no never both communication channels over one single device, that's my understanding. Two independant devices, that never get connected. Email on smart phone can be done in a safe way.