This is their formal response from Risk Management, after conducting their investigation. I followed up requesting that they at least confirm the login and withdrawal request was made from somewhere different than my usual location and they refused to do so. I've blocked out my player number and the team members name.

"Nitrogen Sports Support at X:XXam on March X, 2017
Hi XXXXXX,

My name is Xxxx and I’m writing you on behalf of our Risk Management department in regards to the recent report of an unauthorised withdrawal. Firstly let me start by saying thank you for your patience while our investigation was conducted.

This was the first time we’ve received a report of a Nitrogen user being compromised while having 2FA enabled on the account, so we wanted to use every available resource while conducting the investigation to ensure the security of our user’s accounts.

After a thorough review of your account, login details, betting activity, poker activity, withdraw/deposit history, and otherwise, we’ve concluded that no illegitimate access to the account has occurred as a result of a breach of Nitrogen Sports security.

To address your concerns in regards to the Cloudflare being a possible point of compromise, I'd like to be clear in saying that Nitrogensports.eu was not affected by Cloudbleed to any extent, as indicated to us directly from Cloudflare themselves.

Nitrogen did recommend all users to update their passwords, however, this was done in an effort to protect our users who might have used the same password for another site which was compromised. In the event we had been affected we would have been able to detect unusual login activity very early on, which our investigation showed is also not the case.

Lastly, I’d like to provide a little insight as to why we do not offer IP’s upon user request. This has to do with a multitude of security policies we’ve set in place, but is mainly a safeguard in the event a user’s account ever is compromised. In the event this were to occur, a user may not only be able to view the sensitive information stored in our on-site tickets but then use that information how ever he likes to socially engineer his way into other secure services a user may have.

Following the conclusion of our investigation, We remain confident in our sites use of 2FA to keep users accounts and funds secure within our servers. We are sympathetic to your recent misfortune and wish you the best of luck in the retrieval of your funds.

Sincerely,

Xxxxxxxx
Risk Management
Nitrogensports.eu"

2FA was not removed at any point from my account (as far as I can tell and support has indicated). My normal 2FA credentials were used the day following the compromise and worked correctly. Nitrogen's response was that upon completion of their investigation "We've concluded no illegitimate access to the account has occurred as a result of a breach of Nitrogen Sports security."

They refused to provide pretty much any further information. I made multiple requests for the IP(s) that accessed my account during the time period that were denied. In desperation I even requested simply that they confirm the IP(s) that accessed my account was NOT the usual login location and they also refused to assist me with that inquiry. They blamed it all on some type of user privacy policies for "my own" protection.

This was also posted on reddit if you'd like to view further discussion: https://www.reddit.com/r/Bitcoin/comments/5yhinf/psa_nitrogen_account_w_2fa_compromised_and_emptied/

PSA: My nitrogen account was compromised and emptied with 2FA enabled. Please be weary of leaving balances on this site. None of my other accounts were compromised or show any evidence of break ins. Nitrogen support has been totally unhelpful even refusing to confirm if the withdrawals were made from a remote location.

Full thread with details here: https://bitcointalk.org/index.php?topic=1819885.0

Hi,

I am a reasonably well known member of the high stakes gambling community but have chosen to keep this post anonymous at this time. I have been playing on nitrogensports.eu (mostly poker, but also the occasional sports bet) for over 2 years and have generally been pleased with their site. I enabled 2FA on the account (via Google Authenticator) very early on and have not changed it in at least a year (most likely two). On nitrogen, they require an OTP for logging in as well as requesting withdrawals. My email address is not connected to my account at all and I use a unique username/password to access the site that is not shown to other players and not used on other sites.

I woke up one day last week to find that my balance was empty and 2 successful withdrawals had been made. I immediately contacted support via their on-site ticket system and began inspecting all of my other accounts to try to figure out what had happened. After several days of fruitless back and forth with support and a full investigation of my own devices and accounts, I still can’t seem to figure out what happened and how my account was compromised. I was hoping someone who perhaps knows a bit more about 2FA and Google Authenticator could point me in the right direction.

Here are the facts as I understand them:

1. My 2FA Device (iPhone) was always and still is in my possession
2. None of my gmail accounts were accessed from any devices or locations that are not mine
3. My icloud account was not accessed from any devices/locations that are not mine and has 2FA of its own
4. Nitrogen was not affected by the CloudFlare vulnerability
5. There is no evidence that either one of my home computers were compromised
6. My iPhone is not backed up anywhere locally
7. None of my other 2FA enabled accounts were touched in any way. No failed logins, nothing. This includes other bitcoin exchanges/wallets.

Nitrogen conducted some type of investigation relating to the matter but did not return any useful results. What am I missing? How did this person get access to all 3 credentials (username, pass, and 2FA secret)?