As you read the article, it was a phishing website where a new site is created as a copy of the old one to scam people.
Basically what it did was it logged in the fake website owner to the real bittrex, how ?
Let me explain.
1- Enter fake site
2- enter email and pass
3- fake site logs into real bittrex and enters the data you typed exactly
4- real site sends you 2fa code to make sure it's you
5- you only see the fake site
6- fake site asks you for the code and you enter it
7- fake site goes to real site and enters that code.
Congratulations, fake site owner is in your account and can withdraw all your coins easily.
Always be cautious and check the url more than once. Not only in exchanges but generally in anything that involves your money/assets/identity.
in this scenario, can they successfully withdraw coins, though? i've been on many exchanges, and there is always another 2FA entry (and often, email confirmation) upon withdrawal request. a TOTP code is only good once, and one code is not nearly enough for them to start figuring out how to crack the 2FA token itself. so i think this plan needs some additional sophistication to pull off.
if an account gets hacked with 2FA enabled, my first assumption is that the site may have had a database leak in which both passwords (or weak hashes of passwords) and 2FA tokens were compromised.
