One simple thing could have prevented it that many other exchanges have already implemented.
Withdrawals only through email verification
Except if Joe-one-password is also using the same password for their email, which is not so unlikely since we already know they don't use a different password for every service.