Yep, the most common things we see are:

1) The user's email gets hacked, then the hacker just logs in if the password is the same or does a password reset since they have access to the email. If the user enables Google Authenticator/TOTP it would prevent this from working. A lot of the time they delete the emails afterwards to the user doesn't get tipped off too fast they were hacked.

2) Leaked API keys with 'auto_confirm' permission enabled. This usually comes from people's servers or software having vulnerabilities; a lot of the time especially on more questionable sites they are using pirated (aka "nulled") scripts with backdoors and such in them.

TLDR: For best results enable Google Authenticator/TOTP, if using API keys only enable permissions you need and IP whitelist and set limits if possible, if running your own server/software make sure you know how to secure your system.