this is very awful , and its good you were able to remove your coins. this attacks could be from some phishing links you might have clicked. an insider wont even need to enter your email to login, however we need to be careful of such exchanges so you need to let us know or hint us.
I do not click on email links. I always go to the site directly to check if the email message is legit.
I use iPad and iPhone. They should be safer than Android phones.
I will repeat what I had mentioned before:
In order to change password, they need 1. a security code sent to my email address and 2. code from Google Authenticator. The Google Authenticator associated to my account is in an old iPhone which was turned off at the time during the hack. And I did not even keep its recovery code.
The last email (which I initiated) from them asked me to withdrawal my coins to avoid potential losses. They told me I cannot trade or exchange, only withdrawal. I replied to them, but they stopped responding since. As of today, I still don't know what they meant by "potential losses" and how.
It is really better to store your coins in your own wallet. Even if the exchange is a trusted one or top exchange, you have no assurance about the security of your coins. Let us say you are very careful in terms of security of your account, still when your coins are out there, is vulnerable to potential attacks.