...
Thank you for this quick update. I feel more at ease now that the situation will be resolved.
But your remark about "only email verification" does not make much sense. Even with email verification there should be a code sent to the email with every new device logging in. And the fact that we didn't get a code says the hacker managed to circumvent the verification. And this person probably could have circumvented the 2FA too. Looks like it was someone connected to your database, maybe even an employee. I think you should seriously investigate it and kick suspicous employees out.
That suspicion makes sense. The official explanation is confusing, honestly. Any new device login should still trigger verification email or 2FA that's just how it's supposed to work. But if someone got into the server directly, all of that becomes irrelevant. Not personally hit by this but still worried, this platform gets used regularly and a withdrawal went through just hours before finding out what happened. At least 2UP responded. Now it's just waiting. Hope the people who got affected actually see their money come back.
I know that many users might be wary of this situation. If only email verification was available, it should, in most cases, send a verification email or alert at login time from a new device. As some of those affected users reportedly got nothing, questions have been raised on how the attackers were able to go through the system. However, without proof it may be too early to label staff as the culprits. Now, it's whether 2UP will investigate in an open manner, describe what actually occurred, and restore all balances that were affected. While it's good that it's quick to communicate from the platform, users will demand improved security features going forward.
