I think this is recently added.. or you had 2FA via email.. It never asked me to check my email to log into.. This is possible if a database leak has occured, which is the most likely scenario, even though they will try to deny it.
Well obviously something is up, why else would they change default settings to 2fa just around the time multiple people report
login attempts or stolen funds.
If true, it's kinda irresponsible for them to not notify anyone to at least change passwords.
Indeed, such an anouncement could cause panik withdrawals, similar in effect to a bankrun. Any tradeside that cannot pay back deposits in a timely manner will have to sweat out over each and every breach in security.
I had been sweating when a BTC withdrawal took like 15 hours, and they are paying network average fees so no fault on their side.