tl;dr – I believe at least some HitBTC customer credentials are in the wild. Change your password and enable 2fa/security key access.
I woke up to an email from HitBTC around 1am my local time stating there had been a successful login from a new IP address. I was asleep at that time so it wasn’t me. Fortunately I didn’t lose any funds, as I can’t withdraw the very small amount I have on HitBTC until they have my KYC info. I didn’t have 2fa enabled (oops), so if I had lost any money it would have at least partially been on me.
The password for my account was unique to the HitBTC site, and it’s unlikely that it was brute-forced due to its complexity, so I wanted to post here as a warning to those with HitBTC accounts because it seems that at least some customer credentials may have been stolen. I decided a year or two ago not to provide KYC info to them because the amount of money I had on their site was not worth the potential of my PII being stolen. I think I made the right call.