We highly recommend users enable two-factor to further secure their accounts and protect them from most automated attacks. However, many users will still use the same passwords and email combinations they use on other sites as well as weak password to protect their accounts. Bittrex keeps your user information secure and has never leaked any passwords. However, many sites in the Crypto world have been hacked and the hackers have databases that they attempt to use to login to accounts. This is why we suggest enabling two-factor.
If your account has been hacked and you did not have two-factor enabled, there is nothing we can do for you. You can enter a ticket reporting the hack and we will disable any accounts associated with the hack, however, the funds are almost always already removed by the time your ticket is received.
If you had two-factor enabled and were still hacked, which is less common but still happens, please let us know and we can help investigate the logon history.