There's nothing "timely" in a hacker having your password for months and only using it when he's notified of your deposit by the simple automatic API-reading alerts he set up. If anything, I'm surprised he took as long as 20 minutes.