The recent XTB security breach that allegedly cost a Polish client approximately 150,000 zlotys ($38,000) has ignited a fierce debate about whether optional security measures are sufficient for CFD brokers and retail trading platforms in 2025.

Following the incident, where hackers reportedly executed thousands of rapid trades to drain a client's account, cybersecurity experts are calling for fundamental changes to how financial companies protect client assets.

As it turns out, the XTB case is not isolated, and when it comes to retail trading companies, the saying “you can bank on it” doesn’t always hold true.

The Anatomy of a Modern Financial Hack

Rather than attempting direct fund transfers, which can only be executed on a verified account, hackers opened simultaneous buy-sell transactions on low-liquidity securities, consistently profiting on one side while draining the victim's XTB account on the other. The client had not enabled two-factor authentication (2FA), a detail that has become central to the broader security debate.

“2FA isn't just recommended, it's a must. Even the strongest password is still a single point of failure. A simple password combined with enforced 2FA is far safer than forcing users into complex ones they'll end up writing down,” commented Mate Ivanszky, Founder & CEO of Matworks.

What makes this case particularly concerning is the apparent lack of automated fraud detection. The attack exhibited multiple red flags that should have triggered immediate security responses: an unfamiliar IP address, extraordinarily high trading volumes, and behavior completely outside the client's historical patterns.

If a trader typically performs two or three operations per month and suddenly executes hundreds in a single day, the system should catch that. XTB, however, takes a different view, citing the specific nature of the market as its explanation.

“Due to the nature of the market and the speed at which investment decisions are made, we do not apply automatic restrictions based on changes in investor preferences, such as the initiation of trading in different instruments,” XTB’s PR department explained.

Shareholders seemed to have a different opinion, as XTB shares fell by over 6% that same day, testing three-month lows.

Expert Consensus: Optional Security is No Longer Acceptable

Jon Bellard, Head of Product at Rootshell Security, argues that the incident exposes fundamental gaps in modern fintech security. “While the user not enabling 2FA is a clear risk factor, platforms like XTB carry a responsibility to protect users even when they make mistakes,” he states. “In 2025, it's not enough to offer 2FA, it should be mandatory, particularly for high-risk platforms.”

And while 2FA might seem like a legal requirement today, XTB explains that this is not always the case: “PSD2 regulations and payment services laws apply to companies providing payment services, not brokerage firms like XTB. Therefore, these regulations only apply to our eWallet payment service provided by DiPocket, where we implemented strong authentication in August 2024.”

This highlights that brokerage activities do not face the same mandatory security requirements as traditional banking services, even though they involve similar financial risks.

However, in an interview with FinanceMagnates.com, XTB’s CEO noted that 80% of the company’s new clients invest in stocks and ETFs rather than CFDs. He also reiterated XTB’s ambition to become an “all-in-one financial super app.” Given this shift toward more bank-like services, shouldn't the company prioritize stronger security measures?

A Mixed Picture of Industry Standard

While XTB's approach appears questionable, it seems that CFD broker and retail trading apps security standards across the industry remain inconsistent. The reality is that many don't implement significantly more security measures than XTB's original setup, suggesting this is an industry-wide challenge rather than an isolated problem.

FinanceMagnates.com has verified that Robinhood also offers only optional 2FA. While Plus500 does require 2FA, when it comes to additional protections, such as IP blocking or geo-restrictions, these are generally lacking. Whether it's a large publicly listed broker or a fintech focused on retail trading, most rely on fraud detection systems, login alerts, and manual reviews.

“Security cannot be a user's responsibility when entrusted with client money,” commented Marijus Breidis, the CTO at NordVPN. “Behavioral risk detection should be enabled by default, not buried in settings menus. Platforms prioritize convenience over fundamental security and then blame their customers when the inevitable happens. That approach is irresponsible and completely surrenders their duty to protect client assets.”

Ivanszky agrees with his statement, adding that regulated financial institutions have a clear and enforceable duty to safeguard client funds. “This responsibility begins with ensuring that access to client accounts is properly authenticated, and continues through every transaction that could affect the security or disposition of those funds.”

XTB Does Not Confirm Incident, but Increases Security Measures

XTB neither confirms nor denies that such an incident occurred, but emphasizes that no similar breach has ever taken place involving clients with 2FA enabled.

Moreover, following the public outcry, XTB may end up being more secure than industry standard. The company’s press office outlined its current approach: “In recent weeks, we have significantly simplified and expanded 2FA. Extended testing has already been completed, and as of July 14, clients will have two options: SMS codes or an authenticator app.”

The firm will also begin automatically enabling 2FA for existing clients, and starting in Q4 2025, all new users will be required to activate it. The company has also introduced additional monitoring systems.

“We continuously monitor information about password leaks published online and cross-check them with our database. If a match is found, we notify clients to change their password,” the spokesperson said. “We have also built and continue to expand our internal database of suspicious IP addresses, logins from such locations trigger enhanced security protocols.”