It's probably the account creation tool only that either saves key, or maybe someone got access to that and saved keys.
As my email is enabled with 2fa, so very low chances of email compromised.
I can only say one thing, just timely change password.
Nothing can be trusted.
That's true. we should create some tool that would use additional f2a security for access to the account. e.g. the user who runs them will have his keys encrypted with an additional key which can only be unlocked with the code from f2a. It would also be necessary to create something that would allow for safer and easier password changes. As @mrstorm also wrote, when changing keys, it may also happen that the account will be lost due to failure to save the keys.
Yes, thats another issue if you fail to save the keys. So better to have a good internet when you doing recovery.
But I don't think, adding 2FA is easier, it will instead let the key to pass through another service.
The keys are safe with current flow, we just need to make sure to use account creation services we trust, or at least keep changing password.
Thanks
that is, I was thinking more about securing the withdrawal of funds from the wallet and viewing the keys in the additional f2a wallet. Of course, someone can still use scripts, but this somewhat narrows the number of potential fraudsters and thieves.