What Dave Jevans recommends moving forward is a 3FA approach. Has anyone used this or what are your thoughts?
You can install as many security mechanisms as possible if the users act carelessly in the end. Social engineering is a broad field, so you can't say exactly how the hackers got to the data, but it often happens via a personal mail asking to change the password and then redirected to a fake site. It is difficult to prevent such mistakes from individual users.
worst case possibility`s they kill you? or they kid nap you? right? the "hackers, or hijackers, or murders, or thieves" whatever you want to call them.