That is an interesting one.
The comments are a collection of the good, bad, misinformed, misinformation. The trolls love trolling poloniex posts don’t they.
Firstly the poster does NOT give any indication on how they bypassed 2FA, just say it was an exploit, basically just a baseless statement to add weight to their post.
Secondly they got the users password from a leaked database of another site and the user used the same password.
Thirdly he does not understand “robots.txt” file and the way the email fault works. The email problem is like this forum which opens up links to give you a pre-view of the link (nothing to do with “robots.txt”). The email client (live anyone) has javascript code that accesses the link from your browser and displays it in the displayed email. Thus the confirmation is automatically confirmed
Fourthly if you have 2FA then you don’t have email confirmation unless you love pain. So this adds weight to the fact the poster did not break 2FA (point 1)
tl;dr
Reading the post & the comments from the original poster
- he did not break 2FA and just said so to add weight to his claims
- he got a password from a leaked database of another site
- he used a fault in "live"s email that automatically loads links in the email (like this forum does
So nothing much Poloniex can do other than advise people not to use “live” for their email address and stupid if you do. Also to change their password. EDIT: actually poloniex should add a tick box and click to conform on the confirmation page. That way a simple preview will not “auto” confirm
We need to read carefully these claims by people as this one is a simple hack that will work against any exchange that uses email confirmations where some users use the same password as they used in a leaked password database of other sites.
EDIT: BTW I am not using poloniex anymore (at least for now) except to get prices.