Don't know how much you lost but these are issues Coinpayments needs to put some keen interest into as this will dent their reputation.
And according to the OPs narration of how he lost his coins it's no rocket science that this has inside job written all over it unless hackers have gotten more sophisticated to pull this one off and Afaik I believed they are the payment processors that were supposed to be challenging competitors like bitpay
-snip-
TLDR: For best results enable Google Authenticator/TOTP, if using API keys only enable permissions you need and IP whitelist and set limits if possible, if running your own server/software make sure you know how to secure your system.
Ip whitelisting sounds like an effective way to protect valuables but the problem comes when you using a dynamic ip and you need to confirm your activities every time you try to login to get access which grows to a pen in the butt