While on a vacation in August, Erez Hartal and Tali Hartal logged into their retirement-trading accounts at tastytrade only to find a nightmare unfolding. Dozens of trades, none placed by them, flashed across the screen, many minutes after the market was closed. “Look at these trades at 3:32,” Erez recalled. “That’s after the market closed. I usually don’t place trades after the market has closed.”

With each unauthorized trade, the couple watched their savings shrink at an alarming pace. Erez described the sequence: “A lot of trades, very frequent, buy and sell for huge losses.” Within a short time frame, the losses reached a staggering $180,000, dealing a gut punch to their retirement plans.

Tracking the Breach and the Broker’s Response

The Hartals reported the incident to the Wilmette Police Department, who traced the login to a New Jersey IP address. Meanwhile, tastytrade confirmed there had been an “intrusion” but asserted the responsibility did not lie with them. Their reasoning: the Hartals had not enabled the optional two-factor authentication (2FA) feature. “We rolled out this additional security feature to mitigate the risk of this occurring to our customers,” wrote a tastytrade fraud manager.

Erez pushed back: “I know that this was an option, but it was never made mandatory.” He argued that at the scale of account value and risk, basic login protection should have been non-negotiable.

Expert View: The Weakness of Optional Security

Nicole Jiang, CEO and co-founder of cybersecurity firm Fable Security, weighed in. She described 2FA as a “good protective step,” but added that even standard text or email code systems are less secure than true biometric methods like fingerprints or voice recognition. “I highly recommend businesses to reinforce multiple factors. I think that would reduce a significant amount of fraudulent attempts like this.” The takeaway: when login security is optional, the risk is elevated, and when large sums are involved, the consequences are steep.

Partial Reimbursement, Lingering Frustration

In the aftermath, tastytrade offered to reimburse half of the Hartals’ losses. While this might seem like a gesture of accountability, Tali did not see it that way: “If they didn’t think that they were at fault, they wouldn’t even offer the 50%,” she said. No further public response came from tastytrade, despite multiple outreach attempts by media. Meanwhile, the Hartals, still nursing the blow to their retirement outlook, are now signed up for 2FA, and hope their story serves as a warning to others.

What This Really Means for Investors

The Hartal case is a brutal reminder that when you combine large retirement stakes, trading platforms, and optional security features, the margin for error shrinks drastically. As the Hartals put it: “It makes us think twice of if we’ll be able to retire at all, and if so, when.” You might not be able to control everything—the market, your broker’s policies, but you can control your protective steps. Enable two-factor authentication. Demand accountability. And treat your account like you would a safety deposit box: if you wouldn’t leave it unlocked, don’t leave your account vulnerable.