I've been reading
https://bitcointalk.org/index.php?topic=2594916.new#new and I know how it feels. It happened to me a year before.
The idea is that there are usually extra security in withdrawing.
For example, some API keys do not allow withdraw. We can specify not to withdraw with API and stuff. Poloniex and most exchanges even have warning before people enable API withdraw.
However, there is another way hackers can steal money.
They can trade at deliberate lost.
1. Convert all money into BTC
2. Find some low volume big spread pair
3. Repeatedly buy high sell low
4. A hacker account is the counterparty of such trades.
Some hackers do this in less than a few seconds.
There are things that the exchange can do to prevent this. If they seem something obviously asinine like this they can just block the hackers' account. Most of the time they do nothing. They can put a warning in front of everyone's before customers enable API.
I've heard several cases in Poloniex. I've heard some cases in hitbtc.
How do we prevent this in the future?